[BUG] Second CKAN Cookie in _logout Response

[OfficialOwlElder]

Please note that this happened after migrating our CKAN instance from an Ubuntu 20.04 machine to a Debian 12 machine and upgrading CKAN to the latest version of 2.10.

Describe the bug
Upon logging out, the session cookie does not get deleted leaving the user still logged in. It seems that two cookies are sent in the _logout response. There is a difference in the domains, but as I understand this should not matter.

One domain starts with a dot:
.subdomain.domain.com

where as the other is normal:
subdomain.domain.com

The first Response Cookie is the expected cookie with the correct expiration date. The second cookie is being injected somewhere and replacing the original cookie. I have tried printing the all response headers in the logout() function and I only see the correct cookie:

def logout(self):
    response = _perform_slo()
    if response:
        domain = h.get_site_domain_for_cookie()
        # Clear session cookie in the browser
        response.set_cookie('ckan', domain=domain, expires=datetime.utcnow() - timedelta(days=1))
        #response.set_cookie('ckan', expires=0)
        if not toolkit.check_ckan_version(min_version="2.10"):
            # CKAN <= 2.9.x also sets auth_tkt cookie
            response.set_cookie('auth_tkt', domain=domain, expires=0)

    for header_item in response.headers.items():
        print(header_item)
    return response

Please let me know if I can provide any additional information.

Thank you for your support.

ckanext-saml2auth version affected
v1.1.0

Expected behaviour
Upon logging out, one ckan cookie should be included in the _logout response setting the expiration time to 0.

Logs
Everything in the logs looks normal for both ckan-worker and ckan-uwsgi.

[mixmixmix]

Do you have any workaround for it @OfficialOwlElder ? I might have hit the same issue (will inspect cookies to confirm), but my logs say:
using 'logout_expected_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
I see in logs:

2024-11-03 17:07:41,368 DEBUG [ckanext.saml2auth.plugin] Redirecting to the IdP to continue the logout process
2024-11-03 17:07:41,369 INFO  [ckanext.saml2auth.plugin] User miks<[redacted-email]> logged out successfully
2024-11-03 17:07:41,371 INFO  [ckan.config.middleware.flask_app]  302 /user/_logout render time 0.296 seconds

but in the CKAN site I'm still logged in! 😩

[OfficialOwlElder]

@mixmixmix Unfortunately, I was not able to figure out where the 2nd cookie is coming from so I couldn't find a workaround. This issue has been on the back burner for me since it is only affecting the logout. I am happy to help, though this one has me stumped.

[mixmixmix]

Thanks for a prompt response @OfficialOwlElder! My issue is slightly bit different as I'm not getting two cookies (maybe because I do not get redirect back from the Identity Provider?). However I managed to be able to fix the issue by removing domain parameter:

response.set_cookie("ckan", expires=0)

Now when re-visiting the site after the logout, I have a new cookie and the user is logged out.

I'm on 2.10.4.