Expire Cookie with Secure and HTTPOnly enabled

1. The problem I’m having:

Hello, I’m using caddyfile and caddy security as well. In my code I have one cookie with Secure and HTTPOnly enabled and I’d like to expire it. But when I used the command:

+Set-Cookie "MY_COOKIE=null; Expires=Mon, 01 Jan 1900 07:00:00 GMT;"

The cookie has not expired and continues with the same previous values.

2. Error messages and/or full log output:

I haven’t error, but the cookie has not expired.

3. Caddy version:

I’m using Caddyfile

4. How I installed and ran Caddy:

Docker image

a. System environment:

Docker

b. Command:

docker run --rm -p PORT -v $(PWD)/Caddyfile:/srv/Caddyfile

d. My complete Caddy config:

route /MYROUTE {
		authorize with MY_AUTHORIZATION

		header {
		    +Set-Cookie "MY_COOKIE=null; Expires=Mon, 01 Jan 1900 07:00:00 GMT;"
		}
		redir * /
	}

Can you help me?

What do you see when you make a request with curl -v?

I use the browser’s inspect and see the cookie with the same value and has not expired

That’s not what I asked. Make a request with curl -v and see what the response headers look like.

Either way, this doesn’t seem like a problem with Caddy, but rather with HTTP headers and cookies. That’s not a webserver concern, it’s a concern of the application layer.

Okay I get your point. But if I’d like expire a cookie with Secure and HTTPOnly enabled. What is the command to do that? This command +Set-Cookie "MY_COOKIE=null; Expires=Mon, 01 Jan 1900 07:00:00 GMT;" is enough, right?

There’s no “commands” in Caddy, they’re “directives”. You’re using the header directive to manipulate response headers.

Look at the actual response headers using curl -v. It’s important, to see what else is in the response headers.