Correct logout with an expiring token instead of deleting it

jess2304 · jess2304 · commit f2b7aed2da50 · 2025-07-29T22:45:06.000+02:00
diff --git a/WS/api/views.py b/WS/api/views.py
@@ -102,12 +102,14 @@ class LogoutView(APIView):
     def post(self, request):
         logger.info(f"[Logout] Cookies reçus pour suppression : {request.COOKIES}")
         response = Response({"detail": "Déconnecté."}, status=status.HTTP_200_OK)
-        deletion_keys = ["path", "domain"]
-        cookie_params_delete = {
-            k: v for k, v in COOKIE_PARAMS.items() if k in deletion_keys
-        }
-        response.delete_cookie("access_token", **cookie_params_delete)
-        response.delete_cookie("refresh_token", **cookie_params_delete)
+
+        for cookie in ["access_token", "refresh_token"]:
+            response.set_cookie(
+                key=cookie,
+                value="",
+                max_age=0,
+                **COOKIE_PARAMS,
+            )
         return response
 
 
diff --git a/WS/next_shape_ws/settings.py b/WS/next_shape_ws/settings.py
@@ -226,7 +226,7 @@ def get_cookie_settings():
             "path": "/",
         }
     else:
-        return {"httponly": True, "secure": True, "samesite": "None", "path": "/"}
+        return {"httponly": True, "secure": False, "samesite": "Lax", "path": "/"}
 
 
 COOKIE_PARAMS = get_cookie_settings()

Original file line number	Diff line number	Diff line change
`@@ -226,7 +226,7 @@ def get_cookie_settings():`
`226`	`226`	`"path": "/",`
`227`	`227`	`}`
`228`	`228`	`else:`
`229`		`- return {"httponly": True, "secure": True, "samesite": "None", "path": "/"}`
	`229`	`+ return {"httponly": True, "secure": False, "samesite": "Lax", "path": "/"}`
`230`	`230`
`231`	`231`
`232`	`232`	`COOKIE_PARAMS = get_cookie_settings()`