CookiesManagerUtil#deleteCookies does not work in some cases https://liferay.dev/en/c/message_boards/find_thread?p_l_id=119785294&threadId=122695198 2026-04-09T12:21:32Z 2026-04-09T12:21:32Z Zsigmond Rab https://liferay.dev/en/c/message_boards/find_message?p_l_id=119785294&messageId=122702737 2024-06-05T13:32:22Z 2024-06-05T13:32:21Z

<p>Hi Rafal,</p> <p>It's planned to implement the support of the&nbsp;<code>__Secure-</code>&nbsp;prefix also during implementing the&nbsp;<a href="https://liferay.atlassian.net/issues/LPD-10595">https://liferay.atlassian.net/issues/LPD-10595</a>.</p> <p>Regards,<br> Zsigmond</p>

Zsigmond Rab 2024-06-05T13:32:21Z Rafal Pydyniak https://liferay.dev/en/c/message_boards/find_message?p_l_id=119785294&messageId=122695197 2024-06-05T08:59:57Z 2024-06-03T10:12:16Z

<p>When using Liferay recommended way to add SameSite: none to JSESSIONID cookie&nbsp;https://help.liferay.com/hc/en-us/articles/12648655215885-SameSite-cookie-attribute it also affects other cookies (custom ones and Liferay ones like "COMPANY_ID", "COOKIE_SUPPORT" etc</p> <p>This is generally fine as far as I can tell.&nbsp;</p> <p>The issue is if we also have https site and "secure" attribute is added to the cookie. In such case adding cookie works but removing it with&nbsp;CookiesManagerUtil#deleteCookies does not as the deletion of cookie does not include secure=true attribute. Looking at the code of CookiesManagerImpl#deleteCookies confirms that:</p> <pre>cookie.setSecure(secure);</pre> <p>is missing.</p> <p>&nbsp;</p> <p>Tested with CE GA89 but same behavior is present on master branch:&nbsp;https://github.com/liferay/liferay-portal/blob/master/modules/apps/cookies/cookies-impl/src/main/java/com/liferay/cookies/internal/manager/CookiesManagerImpl.java#L222</p>

Rafal Pydyniak 2024-06-03T10:12:16Z