We have a logout serverless function, which accepts a redirectUrl query string parameter. It clears the authentication cookie. Standard stuff. Except we also need to clear the Intercom session cookie and other identifying cookies when logging the user out. Those cookies are set at the root domain so they can work across all subdomains. We don’t have control over that, it’s 3rd party code.
We cannot set / clear cookies at the root domain in either serverless functions or edge functions. As soon as a set-cookie header contains a domain that’s not the exact hostname of the incoming request, the header gets scrubbed. When trying to do so in an edge function, I can see in the log a message saying the header gets scrubbed because the domain is wrong.
9:56:10 AM: [intercom-logout] intercom-session-v1o8md99=;Max-Age=-1; Path=/; Domain=oceg.org
9:56:10 AM: scrubbed set-cookie header; set-cookie for wrong domain