Closed
Description
Symfony version(s) affected: 4.4.5
Description
Seems, should add SameSite param to clearCookie method at HttpFoundation, because in some situations, can't clear cookie.
How to reproduce
There is a SPA at, say, http://localhost:8080 and API for it at, say, https://api
At API, I set cookie at controller:
$response->headers->setCookie(
new Cookie(
'my-cookie-name',
$myCookieContent,
time() + 3600 * 24 * 7,
'/',
null,
true, // https
true, // http only
false,
'None' // same site
)
);
Deleting cookie with this code doesn't work:
$response->headers->clearCookie(
'my-cookie-name',
'/',
null,
true, // https
true // http only
);
But deleting cookie with that code does (code from clearCookie, but with sameSite = 'None'):
$response->headers->setCookie(
new Cookie(
'my-cookie-name',
null,
1,
'/',
null,
true, // https
true, // http only
false,
'None'
)
);
Possible Solution
Add $sameSite param to clearCookie method.