Site: oceg-web-site.netlify.app
We have a logout serverless function, which accepts a redirectUrl query string parameter. It clears the authentication cookie. Standard stuff. Except we also need to clear the Intercom session cookie and other identifying cookies when logging the user out. Those cookies are set at the root domain so they can work across all subdomains. We don’t have control over that, it’s 3rd party code.
We cannot set / clear cookies at the root domain in either serverless functions or edge functions. As soon as a set-cookie header contains a domain that’s not the exact hostname of the incoming request, the header gets scrubbed. When trying to do so in an edge function, I can see in the log a message saying the header gets scrubbed because the domain is wrong.
9:56:10 AM: [intercom-logout] intercom-session-v1o8md99=;Max-Age=-1; Path=/; Domain=oceg.org
9:56:10 AM: scrubbed set-cookie header; set-cookie for wrong domain
That seems like a bug. Setting a cookie on domain oceg.org in response to a request to www.oceg.org is 100% valid.
https://www.rfc-editor.org/rfc/rfc6265#section-4.1.2.3
Any workaround other than clearing those cookies client-side? This would be our last resort and pretty ugly - we’d need to return a 200 response, set the cookies and javascript and handle re-direction client side… like I said, very ugly.