Can't set cookies on root domain?


We have a logout serverless function, which accepts a redirectUrl query string parameter. It clears the authentication cookie. Standard stuff. Except we also need to clear the Intercom session cookie and other identifying cookies when logging the user out. Those cookies are set at the root domain so they can work across all subdomains. We don’t have control over that, it’s 3rd party code.

We cannot set / clear cookies at the root domain in either serverless functions or edge functions. As soon as a set-cookie header contains a domain that’s not the exact hostname of the incoming request, the header gets scrubbed. When trying to do so in an edge function, I can see in the log a message saying the header gets scrubbed because the domain is wrong.

9:56:10 AM: [intercom-logout] intercom-session-v1o8md99=;Max-Age=-1; Path=/;
9:56:10 AM: scrubbed set-cookie header; set-cookie for wrong domain

That seems like a bug. Setting a cookie on domain in response to a request to is 100% valid.

Any workaround other than clearing those cookies client-side? This would be our last resort and pretty ugly - we’d need to return a 200 response, set the cookies and javascript and handle re-direction client side… like I said, very ugly.

I don’t have any workaround than what you’ve suggested already @slegay. But for what it’s worth, this has been sent to the devs to investigate and possibly fix it as soon as possible.

Hey @slegay,

This should now be fixed.