in go, deleting a cookie requires explicitly setting its maxage to -1 and matching the original path (and optionally domain, secure, or httponly)—simply modifying a cookie retrieved from the request and re-sending it will not work due to missing or mismatched attributes.
To reliably delete a cookie in Go, you must overwrite it with a new cookie that has the same name, path, domain (if applicable), and an expiration in the past. Browsers ignore cookies with mismatched scope attributes—even if the name matches—so reusing the cookie object from r.Cookie() is error-prone: it may lack Path, Domain, or Secure flags set during initial creation, causing the deletion attempt to be ignored.
Here’s the correct approach:
http.SetCookie(w, &http.Cookie{
Name: "login",
Value: "", // optional, but conventional
Path: "/app", // must match original cookie's Path
Domain: "example.com", // include only if originally set
MaxAge: -1, // signals immediate expiration
Expires: time.Now().Add(-100 * time.Hour), // fallback for older IE
Secure: true, // must match original (if HTTPS-only)
HttpOnly: true, // must match original (if used)
})⚠️ Key points:
- Path is critical: If the original cookie was set with Path: "/admin", omitting or mis-setting Path here will leave the cookie intact.
- Domain matters: If the cookie was set with Domain: ".example.com", you must include the exact same value (note the leading dot).
- Secure and HttpOnly must match: These are part of the cookie’s identity; mismatch prevents overwrite.
- Avoid reusing r.Cookie(): It returns only what the browser sent—not the full original cookie spec. Always reconstruct the deletion cookie manually using known creation parameters.
? Pro tip: When setting cookies initially, store their configuration (e.g., path, domain, flags) in constants or config structs—this ensures consistency when deleting later.
In summary: cookie deletion in Go is not “removal” but intentional overwriting with an expired, scoped counterpart. Precision in attributes—not just name—is what makes it work.
