cookie removal and Microsoft Edge

Question

cookie removal and Microsoft Edge

HaHa421 opened this issue 6 months ago · comments

HaHa421 commented 6 months ago

Rocket Version

0.5.0

Operating System

windows 10/11

Rust Toolchain Version

rustc 1.76

What happened?

using Edge, removing a cookie sets its expiration date not in the past but far in the future : here I get Sunday, September 20, 5838270
I tested the site using Brave, Firefox end Chrome : the cookie is cleared as expected

Test Case

//

Log Output

//

Additional Context

No response

System Checks

My bug report relates to functionality.
I have tested against the latest Rocket release or a recent git commit.
I have tested against the latest stable rustc toolchain.
I was unable to find this issue previously reported.

Sergio Benitez · Answer 1 · Fri Feb 16 2024 02:07:00 GMT+0800 (China Standard Time)

Please provide a test case and a screenshot of the browser as well as the exact version of the browser.

HaHa421 · Answer 2 · Fri Feb 16 2024 07:33:31 GMT+0800 (China Standard Time)

Browser : Microsoft Edge
Version 121.0.2277.112 (Official build) (64-bit)

here is the cookie after "removal" , content is erased but this remains

Name
test_cookie
Content
Domain

Path
/
Send for
Same-site connections only
Created
Friday, February 16, 2024 at 12:28:14 AM
Expires
Sunday, September 20, 5838270 at 12:09:20 AM

the code is pruned from other routes :

use rocket::*;
use rocket::http::{Cookie,CookieJar};

#[get("/set_cookie")]
async fn set_cookie(cookies: &CookieJar<'_>,) {
    cookies.add(Cookie::new("test_cookie", "val"));
}

#[get("/remove_cookie")]
async fn remove_cookie(cookies: &CookieJar<'_>) {
    cookies.remove("test_cookie");
}

#[tokio::main]
async fn main() -> Result<(), Error> {
  let _ = rocket::build()
        .mount("/", routes![set_cookie,remove_cookie])
       .launch()
        .await?;
  Ok(())
}

Sergio Benitez · Answer 3 · Fri Feb 16 2024 08:39:17 GMT+0800 (China Standard Time)

I'm sorry, but you're going to need to provide clearer information about what's going on. I have tried to reproduce the issue you're describing without success. On both macOS and Windows, Edge successfully clears the cookie.

Here's what I need from you:

A console log of Rocket with your reproduction showing incoming and outgoing requests where the issue occurs with debug logging enabled. This was requested in the issue template but was ignored.
A screenshot of the developer tools in your Edge browser that shows the information you're describing here. When a cookie is deleted, both max-age and Expires are set. I need to see what the browser is receiving, exactly. Ideally, this is two things: the response headers and the cookie information.

Please also format your responses with markdown so that they're easier to read.

Please do not ignore issue templates in the future. They are designed so that this back-and-forth is avoided as much as possible. When you ignore the issue template, you increase workload on maintainers unnecessarily.

HaHa421 · Answer 4 · Fri Feb 16 2024 09:50:51 GMT+0800 (China Standard Time)

rocket log writes as expected:

 sending response: Response {
    status: 200,
    version: HTTP/1.1,
    headers: {
        "set-cookie": "test_cookie=; SameSite=Lax; Path=/; Max-Age=0; Expires=Thu, 16 Feb 2023 01:41:49 GMT",
        "server": "Rocket",
        "x-content-type-options": "nosniff",
        "x-frame-options": "SAMEORIGIN",
        "permissions-policy": "interest-cohort=()",
        "content-length": "0",
    },
    body: Body(
        Streaming,
    ),
}

and I get only this warning in Edge developer tools console:

Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'interest-cohort'.

Edge keeps setting the cookie expiration date at : Sunday, September 20, 5838270 at 12:09:20 AM

HaHa421 · Answer 5 · Fri Feb 16 2024 11:10:03 GMT+0800 (China Standard Time)

I get the same behavior from Edge on a linux machine

Sergio Benitez · Answer 6 · Fri Feb 16 2024 11:50:29 GMT+0800 (China Standard Time)

Please post the following:

I need to see what the browser is receiving, exactly. Ideally, this is two things: the response headers and the cookie information.

This can be found in the developer tools.

Also, is your clock set correctly?

HaHa421 · Answer 7 · Fri Feb 16 2024 17:32:48 GMT+0800 (China Standard Time)

When an inspect cookies in the Application tab of developer tools, the cookie doesn't show after removal which is good
I added the route

#[get("/check_cookie")]
async fn check_cookie(cookies: &CookieJar<'_>)->String {
    match cookies.get("test_cookie") {
      Some(_)=>String::from("Cookie found"),
      _=>String::from("Cookie not found"),
    }
}

and everything is ok
Meanwhile the cookie still shows up in "View Site Information --> Cookies" ,which might be annoying from a user perspective.
anyway , this seems to be related to Edge implementation so I suppose we can close the issue