Cookie deleted after creation?

Question

I'm creating a session, after the session/cookie is created it vanishes immediately

session, err := r.Cookie("session-id")

if err != nil {
session = &http.Cookie{
                    Name:   "session-id",
                    Value:  sessionID.String(), //uuid
                    MaxAge: 0,
                }
http.SetCookie(w, session)
}

I'm not sure if it's being deleted, but the moment the cookie is created it vanishes immediately from google chrome(Application/cookies). This is a problem because I can't detect the cookie when going to another path.

score 2 · Accepted Answer · answered Dec 01 '19 at 15:57

This is a problem because I can't detect the cookie when going to another path.

If the path parameter is not set in the set cookie response header, then the client sets the cookie's path to the request path. Clients only send a cookie to the server when the cookie's path is a path prefix of the request path.

To make a cookie available to all paths, set the path to "/".

session = &http.Cookie{
                Name:   "session-id",
                Value:  sessionID.String(), //uuid
                Path: "/",
            }

(Because the zero value for an integer is 0, there's no need to specify the MaxAge value).

score 1 · Answer 2 · answered Dec 01 '19 at 10:24

According to MDN:

Max-Age: number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately

When looking at the source code for the SetCookie func, which calls the cookies' String() method, we can see in line 208 that your cookie age of 0 will not be written to the request - your cookie should be accepted.

There might be other factors that might make this cookie invalid from the user-agent side; the server side seems to be fine. What happens when you try a different browser (e.g. Firefox)?

that's strange, when I tried it on edge it worked. The cookie is not removed immediately — Kevin Bryan, Dec 01 '19 at 10:34

score -3 · Answer 3 · answered Dec 01 '19 at 08:46

-3

Setting MaxAge to 0 means delete the cookie immediately.

Use -1 to store the cookie until browser exits.

answered Dec 01 '19 at 08:46

Yotamz

173
4

1

Zero and negative values expire the cookie immediately. – icza Dec 01 '19 at 09:01
I think setting it to -1 means delete and setting it to 0 is infinite amount of time. When I use -1 the cookie is not even created. – Kevin Bryan Dec 01 '19 at 09:02
2

@StormAsdg: No, read [the docs](https://golang.org/pkg/net/http/#Cookie). 0 and < 0 have the same behavior. The same is true for alll implementations, according to [RFC 6265](https://tools.ietf.org/html/rfc6265#page-20). – Jonathan Hall Dec 01 '19 at 10:22
@Flimzy so you cannot set it to infinite? – Kevin Bryan Dec 01 '19 at 10:30
1

@StormAsdg: No, [you cannot](https://stackoverflow.com/a/3290474/13860). – Jonathan Hall Dec 01 '19 at 10:31
@Flimzy, 0 and < 0 have different behavior per the docs you point to. When `Cookie.MaxAge == 0`, the Max-Age parameter is omitted from the response header. Clients handle cookies with no expiration or max-age parameter as a [session cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Session_cookies). When `Cookie.MaxAge < 0`, the Max-Age parameter is written to the response header as 0. Clients delete cookies that have an age greater than or equal to the the cookie's max-age. – Charlie Tumahai Dec 01 '19 at 15:34
The actual functionality is the opposite of what's described in this answer. Setting Cookie.MaxAge to -1 causes the client to delete the cookie. Setting Cooke.MaxAge to 0 creates a cookie with the lifetime of the client's browser session. – Charlie Tumahai Dec 01 '19 at 15:41
@CeriseLimón: Oh, you're right. I misinterpreted `equivalently 'Max-Age: 0'` as `equivalently 'MaxAge = 0'` – Jonathan Hall Dec 01 '19 at 15:42

Cookie deleted after creation?

3 Answers3