43

I set cookies with the code suggested in the docs:

from flask import make_response

@app.route('/')
def index():
    resp = make_response(render_template(...))
    resp.set_cookie('username', 'the username')
    return resp

But how do I remove them? There is no remove_cookie method. I tried:

if request.cookies.get('sessionID');
    request.cookies.pop('sessionID', None)

but it turns out that the request.cookies object is immutable. What do I do?

Oliver
  • 2,182
  • 5
  • 24
  • 31

3 Answers3

69

There's no HTTP header for deleting a cookie. Traditionally you just set the cookie to a dummy value with an expiration date in the past, so it immediately expires.

resp.set_cookie('sessionID', '', expires=0)

This will set the session id cookie to an empty string that expires at unixtime 0, which is almost certainly in the past.

Eevee
  • 47,412
  • 11
  • 95
  • 127
  • Is this necessary, given ThiefMaster's answer? – Oliver Jan 17 '13 at 19:18
  • a cookie can exist and still be empty. using `expires` will actually delete it. but the difference is pretty minor, yes. – Eevee Jan 17 '13 at 19:21
  • Since flask session is stored on client side, is it possible for a poorly behaved client to ignore this request and still keep the cookies? – oeter May 12 '21 at 07:36
  • @oeter well, sure; it's possible for a poorly behaved client to do _anything_. that's what makes it poorly behaved :) – Eevee May 18 '21 at 01:20
26

We can make us of delete_cookie() available from flask.Response.

resp.delete_cookie('username')

This will delete the cookie on response. Here is delete_cookie documentation.

Also you may want to have add path (default set to '/') and domain (default set to None).

resp.delete_cookie('username', path='/', domain='yourdomain.com')

Here is the interpreter screenshot which shows delete_cookie object in flask.Response.

Python Interpreter Screenshot

Reck
  • 1,388
  • 11
  • 20
  • This does not delete the cookie on the developer tools > Application. Im not sure why. This is my snippet `res = make_response('', 204) res.delete_cookie(key='refresh_token', path='/') return res` – Ryan Aquino May 25 '20 at 12:59
  • Check with passing domain as localhost. If the cookie is set with a domain, then it can be deleted with domain being passed. – Reck May 26 '20 at 08:10
  • I figured it out, `credentials: 'include'` should be set to headers on every request, this includes cookies on the request. – Ryan Aquino May 27 '20 at 04:02
9

You need to set the cookie with an expiry that's in the past.

resp = make_response(render_template(...))
resp.set_cookie('username', expires=0)
return resp

By the way, I hope you don't actually expect that username cookie to be safe. Because it's not. The user can put anything he wants in there. The solution is usually to use the Flask session which uses a signed cookie that cannot be modified by the user.

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
  • Hm, okay. I know they aren't secure but I haven't gotten around to figuring out how to read signed cookies with a different service (I have Flask talking to a node.js app) – Oliver Jan 17 '13 at 19:18