Can't delete cookie with AngularJS's $cookies

Question

My web app is made so that when a user logs in the server adds a Set-Cookie header to the response, like this:

Set-Cookie:JSESSIONID=1; Path=/myApp/; Secure

Answer 1

Be aware of the cookie domain of the cookie you want to delete. If you're working with multiple subdomains (i.e. one for static resources, another for the api) your problem could be that you're trying to delete a cookie for the wrong domain.

Have a look at your cookies with your browser's developer tool of choice. Whatever domain is set for the cookie you want to delete that you're having problems with, specify it in the options parameter to the remove method.

$cookies.remove('JSESSIONID', {domain: 'domain.tld'});

SECURITY TIP: Deleting the session ID via Javascript doesn't delete the session on the server. If your session IDs leak you could suffer from session fixation. It would be better to delete the cookie via calling a logout endpoint in your API which would clear the session completely on the server so that it can't be re-used.