javascript - Session cookie not deleted on IOS tablet and smartphone

Question

Using node.js express library to clear the cookie on logout

app.post('/logout', (req, res, next) => {
// cookie-session library used hence req.session = null is valid
            req.session = null;
            res.clearCookie('auth');
            res.end();
    });

Works perfectly on all desktop machines, Android devices but not on IOS device browsers (Firefox, Chrome, Safari, among others). All IOS testing devices are version 14+

Tried available options for clearCookie res.clearCookie function doesn't delete cookies to no avail.

However, using incognito mode on IOS devices works meaning the cookie gets cleared, also closing the browser (which clears the session) works.

When setting the cookie (login) I use the default

res.cookie('auth')

Does anyone have a clue to what's going on?

EDIT

Tried IOS 10 on Iphone 5c and it works. Seems to really be issue with 14+

question from:https://stackoverflow.com/questions/65869993/session-cookie-not-deleted-on-ios-tablet-and-smartphone

Answer 1

Some background information. According to HTTP specification, there is not way to delete a cookie. The common approach to clear cookies is to set the expiration time to a time in the past (the clearCookie function in express uses this approach)

source code of clearCookie()

res.clearCookie = function clearCookie(name, options) {
  var opts = merge({ expires: new Date(1), path: '/' }, options);
  return this.cookie(name, '', opts);
}

Problem might be with the cookie-setting problems caused by the new privacy features in IOS 14, meaning that there is a very strict policy on cookies that are allowed to be set. Possible that "setting expiration to the past" method used by "clearCookie" is not allowed in IOS 14. See more about the new privacy features in IOS 14 here

Btw, be sure to check the "path" attribute is correct in the "options" object