fix[faustwp-core]: (#2313) add security flags to removeCookie() (#2314)

latenighthackathon · web-flow · commit 10ad81408173 · 2026-04-14T11:00:36.000+02:00
* fix[faustwp-core]: (#2313) add security flags to removeCookie() removeCookie() expires the refresh token cookie with only the expires attribute, missing the path, sameSite, secure, and httpOnly flags that setCookie() uses when setting it. Without a matching path: '/', the browser may not delete the correct cookie on logout. Add the same security attributes used in setRefreshToken() so the browser correctly identifies and expires the target cookie. Closes #2313 * chore: add changeset for cookie removal fix --------- Co-authored-by: latenighthackathon <latenighthackathon@users.noreply.github.com>
diff --git a/.changeset/cookie-removal-flags.md b/.changeset/cookie-removal-flags.md
@@ -0,0 +1,5 @@
+---
+"@faustwp/core": patch
+---
+
+fix[faustwp-core]: add path, sameSite, secure, and httpOnly flags to removeCookie() to match setCookie() attributes
diff --git a/packages/faustwp-core/src/server/auth/cookie.ts b/packages/faustwp-core/src/server/auth/cookie.ts
@@ -70,6 +70,10 @@ export class Cookies {
 		this.response?.setHeader(
 			'Set-Cookie',
 			cookie.serialize(key, '', {
+				path: '/',
+				sameSite: 'strict',
+				secure: true,
+				httpOnly: true,
 				expires: new Date(0),
 			}),
 		);

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@faustwp/core": patch
 +---
++
 +fix[faustwp-core]: add path, sameSite, secure, and httpOnly flags to removeCookie() to match setCookie() attributes