Closed
Description
Symfony version(s) affected
5.4.11, 6.1
Description
When investigating the headers sent upon logout in our application, I noticed that two Set-Cookie headers are included for PHPSESSID, e.g.:
PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; HttpOnly; SameSite=lax
PHPSESSID=deleted; expires=Sun, 08 Aug 2021 15:55:14 GMT; Max-Age=0; path=/; httponly; samesite=lax
We have our own UserProvider and Authenticator, but as you can see from the example application below this issue seems to be unrelated to that. It arises with json_login as well.
How to reproduce
To reproduce this I created a sample project and added a test that successfully runs through if upon logout two Set-Cookie headers with PHPSESSID=delete are sent: https://github.com/GiGaJKlein/symfony_two_cookies_issue
To run the test: ./bin/phpunit tests/TestForBug.php
Note: You may have to adjust the hashed hardcoded password in /config/pckages/security.yaml
Possible Solution
No response
Additional Context
No response