One does not simply delete cookies


Web Dev discusses the complexities of API naming and cookie handling in web development. The author uses their current project, built using Astro with basic authentication via Twitch, as a case study. They discuss how they navigated around the issue of the tool's lack of built-in sign-out functionality, creating their own route to 'delete' authentication cookies. However, their solution didn't work in the production environment. The issue was traced back to a misunderstanding of how cookies are 'deleted'; instead of being erased, a cookie is invalidated by setting an expiry date in the past. The author also discovered that modifying a cookie directly via server-side code is not technically possible; servers send cookie modification requests to a browser via Set-Cookie HTTP response headers. The article concludes with the writer sharing their journey of understanding and overcoming these challenges, from modifying the cookies in development, detecting and interpreting cookie-related warning in the browser to finally successfully logging the user out of the application by adjusting the cookie options.

read full post