Typing "document.cookie" in the console is not necessarily a reliable mechanism for determining whether the browser has a cookie for the current document's domain.

In particular, a cookie that is set with the |HTTPOnly| attribute is never shown in the document.cookie collection; such cookies are only sent on HTTP requests.

I don't think I can attempt to reproduce this issue without an account on the site in question, but you can use the "Search" feature of the developer tools to see whether the SID cookie is set with the HTTPOnly attribute.

Note that when you typed document.cookie, the SID cookie was not displayed - indicating, as elawrence says, that it may be an HttpOnly Cookie.  Generally, if document.cookie doesn't display a cookie, it can't delete it, either.

Its not the case, we dont use httpOnly cookies and as shown in screencast - if I open ajax request in separate tab, the SID cookie is available and visible.

And it also visible and available before deleting.

What else can I check?  It is quite easy to reproduce - you ll need demo account at tradernet.ru. Login then click some tabs, load some pages in menu and exit. Then check networks and you will see that browser sends cookie with ajax request to 'ajax-get-client-status' even if it deleted.

Looks like the SID cookie has a path set (Which is presumably /authentication), and you're clearing cookies on a request with path of /user/...

SID cookie on login is set to / path

https://www.screencast.com/t/YhQp3lTbVGYr

And it stays and show before deleted on that path

https://www.screencast.com/t/O2RywS8iy

Look at your video, at 1:28.  The SID line has "/..." under path.

So trouble is that cookie has the path? And in that case it should be invisible in Application tab and absent in document.cookie? Is that an expected behavior? 

Because I dont understand how's that should work - come cookies that we set with path are visible in application tab of main window and could be deleted there. What is different about this one?

Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Another video that shows that there is a path in the cookie. But cookie itself is shown only on separate tab, not on the main window.

https://www.screencast.com/t/U9sT3pW6e

I cant easily reproduce this bug today - most of times cookie deleted with logout as expected and how it worked previous 5 years. But sometimes cookie persists somewhere inside the browser. Lost on ideas on how to debug it, need help.

Sorry, I was wrong, or at least not really correct.  document.cookie='' is not supposed to delete all cookies - it's basically equivalent to the http line "Set-Cookie:" - i.e., it sets a nameless cookie.  It does not delete all cookies.

To delete a cookie, you'd need to do document.cookie='SID=whatever;expires=Thu, 01-Jan-70 00:00:01 GMT;path=/<insert path here>'

Experimentally, IE exhibits the same behavior.  You may be seeing a behavior change in the cookie store somewhere, but document.cookie='' not deleting cookies isn't that change.

Mozilla's handy docs:  https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie

> "Set-Cookie:" - i.e., it sets a nameless cookie.  It does not delete all cookies.

Ok, got you. But setting document.cookie='' was just an example - I can delete from Application tab.

Usually and regulary it is deleted from server side on logout, when header is sent.

Example of server response to delete SID cookie:

Set-Cookie: SID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.tradernet.ru

mmenke@chromium.org - can you try to reproduce issue on website? Or tell me what you want to try - Ill make a screencast.

To delete a cookie via Set-Cookie, it must have exactly the same name and path as it was set with. 

To attempt to reproduce on the site in question, I assume we would need a test account. 

As per comment#16 adding Needs-Feedback label.

@Reporter: Please provide sample credentials if possible.

Thanks!

ping reporter, it would help to provide a test site that reproduces this issue, or a net-log dump exhibiting the bug:
https://dev.chromium.org/for-testers/providing-network-details

I finally found what was the problem and now I am not sure if its a bug or feature.

Here is how to reproduce.

1. Go to https://tradernet.com/authentication/login
2. Set cooike with path by js in console, typing $.cookie('SID', 'test')
3. Now go to https://tradernet.com/instruments (different path)
4. Open Console -> Application -> Cookies -> https://tradernet.com

You will see that there is no cookie, named SID, exists. You can clear all cookies anyway you like. In browser or by js.

No go again to https://tradernet.com/authentication/login, open console->application->cookie and you will see cookie SID=test.

Looks like a bug for me, because no matter what path is set cookie should be shown in Application->Cookies and user should be able to delete it from there.

Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Yep I can reproduce the issue in c#20. Going to re-add the devtools label since it looks like the problem is isolated to that UI surface.

After setting SID=test, I can always see that cookie by navigating to the Origin Info Bubble (click the "Secure" button next to the URL) and clicking "Cookies".

> After setting SID=test, I can always see that cookie by navigating to the Origin Info Bubble (click the "Secure" button next to the URL) and clicking "Cookies".

Yes, but now imagine that you are developer and you are on /instruments page. You have about 100 ajax requests sent to the server, you dont see any cookies in Application tab. How do you know that one of the requests to particular path was sent WITH the cookie?

Hey dmatafonov,
You can see exactly which cookies are being sent in a request by using chrome://net-internals.

I verified in this case that https://tradernet.com/instruments does _not_ send the SID=test cookie, whereas the request to https://tradernet.com/authentication/login did use the cookie.

Devtools is probably just using cookies that were used by the actual page navigation.

Browser and network do work as expected. Devtools doesnt.

Application->cookies->domain SHOLD show all cookies for selected domain, not just cookies with / path AND selected path.

Otherwise there is no way to see all cookies with all paths for selected domain in devtools, but thats what devtools is created for. 

einbinder@ or caseq@, could you please take a look

 Issue 918413  has been merged into this issue.