(too old to reply)
Florian Balmer
2018-07-31 07:34:29 UTC
It seems like the intention of the following call to cgi_set_cookie()
is to generate a cookie to expire immediately, and direct the browser
to remove it (at least this could make sense for login cookies):


But in this case, cgi_set_cookie() creates a cookie with an empty
value, and no "max-age" directive.

Would it make sense to modify cgi_set_cookie() like this:

lifetime<=0 → max-age=0

This seems compatible with all (6) calls to cgi_set_cookie(). It would
no longer be possible to generate cookies without expiration
information, but the call linked above is currently the only one to
take this code path.

Another approach may be to modify cgi_set_cookie() to automatically
add "max-age=0" for any cookies with empty values, which could also
work together with the modified "lifetime" check.