Delete REPL_AUTH cookie

doxr · May 10, 2023, 6:40pm

Question:
I use Repl Authentication for my website, and when I want to sign out, I just delete the REPL_AUTH cookie that exists. I want to create a button that signs out the user by deleting the cookie. How do I do that? I am trying to implement it on my testing link first. Pretty sure this falls under code help.

Repl link:
https://replit.com/@doxr/UIbrotheres

804kn · May 10, 2023, 7:03pm

This can only be done through an http header, it cannot be done through JS or HTML

doxr · May 10, 2023, 7:07pm

That’s the only way to delete a cookie? I have a backend but would like to do this all in the frontend.

804kn · May 10, 2023, 7:08pm

Theres no way to do this front end (Unless you redirect or request to a cookie deletion page), see http - Correct way to delete cookies server-side - Stack Overflow

doxr · May 10, 2023, 7:17pm

What about something like this?

document.cookie = 'REPL_AUTH=; Max-Age=0; path=/; domain=' + location.hostname;

or

function eraseCookie() {
    document.cookie = 'REPL_AUTH' + '=; Max-Age=0'
}

that supposedly runs in frontend, according to AI?

WindLother · May 10, 2023, 8:18pm

Can’t you make a function and set the expiry date of the cookie to a past date (like January 1, 1970)? (with JS in this case)

doxr · May 10, 2023, 8:37pm

I think I found that, eraseCookie() so I’ll try it.

Edit: it does something odd; it doesn’t delete the cookie, rather it makes an empty cookie named REPL_AUTH

Edit 2: Soo I think that REPL_AUTH is a server cookie (dunno what that is) so it’s deleted in the backend. I don’t know why this has the HTML/CSS/JS tag, so I’ll change it to Node.js and I still don’t know how to do it, especially making the front end delete it in the backend.

9pfs1 · May 10, 2023, 10:48pm

It is an HTTP-only cookie, so the frontend can’t access it.

doxr · May 10, 2023, 10:55pm

So the frontend can’t send a message to the backend telling it to delete the cookie?

9pfs1 · May 10, 2023, 10:56pm

That’d be possible, although you’d need an HTTP response header from the server telling the user’s browser to remove it, so you’d need to send an HTTP request (basically, just sending a message on a websocket connection wouldn’t be enough.

doxr · May 10, 2023, 10:57pm

How could this be achieved?

9pfs1 · May 10, 2023, 10:58pm

You could probably set an HTTP-only REPL_AUTH cookie that has already expired (that should work). It’s worth noting that removing a REPL_AUTH token does not invalidate it (i.e. it doesn’t protect against replay attacks).

doxr · May 10, 2023, 11:03pm

I was trying to sign the user out, somehow; Replit made a way to sign in, but not sign out ;-; and it’s probably a security risk but I wasn’t looking to invalidate it; that’s probably not possible.

Sorry for the repetition, but I’ve never felt the need to work with cookies. This is my first actual interaction with using the browser to make use of cookies. How do I do this? With a line of code?

9pfs1 · May 10, 2023, 11:04pm

You could always set your own cookie that can be revoked server-side and is tied to a specific account.