Delete REPL_AUTH cookie

I use Repl Authentication for my website, and when I want to sign out, I just delete the REPL_AUTH cookie that exists. I want to create a button that signs out the user by deleting the cookie. How do I do that? I am trying to implement it on my testing link first. Pretty sure this falls under code help.

Repl link:

This can only be done through an http header, it cannot be done through JS or HTML

That’s the only way to delete a cookie? I have a backend but would like to do this all in the frontend.

Theres no way to do this front end (Unless you redirect or request to a cookie deletion page), see http - Correct way to delete cookies server-side - Stack Overflow

What about something like this?

document.cookie = 'REPL_AUTH=; Max-Age=0; path=/; domain=' + location.hostname;


function eraseCookie() {
    document.cookie = 'REPL_AUTH' + '=; Max-Age=0'

that supposedly runs in frontend, according to AI?

Can’t you make a function and set the expiry date of the cookie to a past date (like January 1, 1970)? (with JS in this case)

1 Like

I think I found that, eraseCookie() so I’ll try it.

Edit: it does something odd; it doesn’t delete the cookie, rather it makes an empty cookie named REPL_AUTH

Edit 2: Soo I think that REPL_AUTH is a server cookie (dunno what that is) so it’s deleted in the backend. I don’t know why this has the HTML/CSS/JS tag, so I’ll change it to Node.js and I still don’t know how to do it, especially making the front end delete it in the backend.

It is an HTTP-only cookie, so the frontend can’t access it.

1 Like

So the frontend can’t send a message to the backend telling it to delete the cookie?

That’d be possible, although you’d need an HTTP response header from the server telling the user’s browser to remove it, so you’d need to send an HTTP request (basically, just sending a message on a websocket connection wouldn’t be enough.

How could this be achieved?

You could probably set an HTTP-only REPL_AUTH cookie that has already expired (that should work). It’s worth noting that removing a REPL_AUTH token does not invalidate it (i.e. it doesn’t protect against replay attacks).

I was trying to sign the user out, somehow; Replit made a way to sign in, but not sign out ;-; and it’s probably a security risk but I wasn’t looking to invalidate it; that’s probably not possible.

Sorry for the repetition, but I’ve never felt the need to work with cookies. This is my first actual interaction with using the browser to make use of cookies. How do I do this? With a line of code?

You could always set your own cookie that can be revoked server-side and is tied to a specific account.