I have an odd issue. I've got an API with three endpoints /ping, /login, and /logout endpoints. The /login sets a token cookie, /logout delete's the token cookie, and /ping just returns "pong".
The endpoints work like this:
POST /login payload: username=bob&password=kidname
returns a set-cookie: token=abcd; Path=/
GET /logout
with cookie: token=abcd header
returns a set-cookie: token=""; Path=/; Max-Age=0
GET /ping returns 'pong' in text/plain
When the user logins with /login, the token cookie gets set, and it's visible in document.cookie in the browser. When the user logs out with /logout, the token cookie disappears from document.cookie, but it is still present in any subsequent requests to /ping.
I don't understand why the cookie is persisted in subsequent requests to the domain (in Chrome only, per chrome dev tools and server logs), even though the server "deleted" the cookie, and javascript shows the cookie deleted. Firefox works as expected, but Chromium based browsers are dominant browsers today.
Turns out I had a duplicate token cached and scoped under my /api path, which was overriding my / path cookie.