fix(clerk-js): unset domain cookies

[jacekradko]

Description

Evaluating this change.. not ready for merge

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features

  • Domain-aware session cookies for consistent behavior across subdomains and cross-origin contexts.
  • Improved cookie attributes (SameSite and partitioned) for better compatibility and security.

• Bug Fixes

  • Logout and session rotation now reliably clear stale cookies, including subdomain variants.
  • Prevents duplicate or lingering cookies by purging legacy non-domain cookies.

• Tests

  • Expanded tests to validate domain-specific set/remove flows and attribute handling across contexts.

[changeset-bot]

⚠️ No Changeset found

Latest commit: db12467

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Oct 9, 2025 4:40pm

[coderabbitai]

Walkthrough

Updates session cookie management to compute and use a domain value when setting and removing cookies. Removal now clears both with-domain and without-domain variants for backward compatibility. Tests were updated to mock domain resolution and assert domain-aware set/remove sequences for cross-origin and same-origin contexts.

Changes

Cohort / File(s)	Summary
Cookie session implementation packages/clerk-js/src/core/auth/cookies/session.ts	Use getCookieDomain to determine domain. On remove: delete session cookies with domain and without domain. On set: purge legacy no-domain cookies, then set cookies with domain, including partitioned and sameSite attributes per context. No exported API signature changes.
Cookie session tests packages/clerk-js/src/core/auth/cookies/__tests__/session.test.ts	Mock getCookieDomain and assert domain is included in set/remove. Validate sequences: double remove before set in non-cross-origin, domain-aware attributes in cross-origin (SameSite=None) and non-cross-origin, and expanded removal coverage for with-domain and without-domain cases.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor App
  participant SessionCookies as SessionCookies (module)
  participant Domain as getCookieDomain()
  participant Store as CookieStore

  rect rgb(240,245,255)
  note right of App: Set(token)
  App->>SessionCookies: set(token, opts)
  SessionCookies->>Domain: resolve domain
  Domain-->>SessionCookies: domain
  SessionCookies->>Store: remove(sessionCookie) (no domain)
  SessionCookies->>Store: remove(suffixedSessionCookie) (no domain)
  SessionCookies->>Store: set(sessionCookie, token, {domain, partitioned, sameSite})
  SessionCookies->>Store: set(suffixedSessionCookie, token, {domain, partitioned, sameSite})
  end

  rect rgb(245,240,255)
  note right of App: Remove()
  App->>SessionCookies: remove(opts)
  SessionCookies->>Domain: resolve domain
  Domain-->>SessionCookies: domain
  SessionCookies->>Store: remove(sessionCookie, {domain})
  SessionCookies->>Store: remove(suffixedSessionCookie, {domain})
  SessionCookies->>Store: remove(sessionCookie) (no domain)
  SessionCookies->>Store: remove(suffixedSessionCookie) (no domain)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

I nibble the crumbs of domains and subdomains,
Hop-hop, I tidy old trails and their remains.
With a whisk and a wink, I set them just right—
Partitioned, SameSite, tucked in for the night.
Backward tracks swept, new burrows aligned—
Cookies in order; a rabbit’s peace of mind. 🥕🍪

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "fix(clerk-js): unset domain cookies" concisely communicates the primary fix introduced in this pull request, which updates the cookie management logic to remove cookies with explicit domain attributes. It directly corresponds to the implementation changes in session.ts and the adjusted test expectations around domain-aware cookie removal. This phrasing is clear, specific, and devoid of unnecessary noise, allowing team members to quickly grasp the purpose of the changes.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/unset-domain-cookies

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 56a81aa and db12467.

📒 Files selected for processing (2)

• packages/clerk-js/src/core/auth/cookies/__tests__/session.test.ts (4 hunks)
• packages/clerk-js/src/core/auth/cookies/session.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (9)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/clerk-js/src/core/auth/cookies/__tests__/session.test.ts
• packages/clerk-js/src/core/auth/cookies/session.ts

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/clerk-js/src/core/auth/cookies/__tests__/session.test.ts
• packages/clerk-js/src/core/auth/cookies/session.ts

packages/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/clerk-js/src/core/auth/cookies/__tests__/session.test.ts
• packages/clerk-js/src/core/auth/cookies/session.ts

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/clerk-js/src/core/auth/cookies/__tests__/session.test.ts
• packages/clerk-js/src/core/auth/cookies/session.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/clerk-js/src/core/auth/cookies/__tests__/session.test.ts
• packages/clerk-js/src/core/auth/cookies/session.ts

packages/**/*.{test,spec}.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Unit tests should use Jest or Vitest as the test runner.

Files:

• packages/clerk-js/src/core/auth/cookies/__tests__/session.test.ts

packages/{clerk-js,elements,themes}/**/*.{test,spec}.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Visual regression testing should be performed for UI components.

Files:

• packages/clerk-js/src/core/auth/cookies/__tests__/session.test.ts

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/clerk-js/src/core/auth/cookies/__tests__/session.test.ts
• packages/clerk-js/src/core/auth/cookies/session.ts

**/__tests__/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)

**/__tests__/**/*.{ts,tsx}: Create type-safe test builders/factories
Use branded types for test isolation
Implement proper mock types that match interfaces

Files:

• packages/clerk-js/src/core/auth/cookies/__tests__/session.test.ts

🧬 Code graph analysis (2)

packages/clerk-js/src/core/auth/cookies/__tests__/session.test.ts (1)

packages/clerk-js/src/core/auth/cookies/session.ts (1)

• createSessionCookie (29-72)

packages/clerk-js/src/core/auth/cookies/session.ts (2)

packages/clerk-js/src/core/clerk.ts (1)

• domain (295-304)

packages/shared/src/cookie.ts (2)

• set (23-25)
• remove (32-34)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (8)

packages/clerk-js/src/core/auth/cookies/session.ts (3)

6-6: LGTM: Domain resolution import added.

The import of getCookieDomain enables domain-aware cookie management for both setting and removing cookies.

---

46-63: LGTM: Domain-aware cookie setting with backward-compatible cleanup.

The implementation correctly:

1. Computes the domain for consistent cookie scope
2. Pre-emptively removes any existing non-domain cookies (lines 52-53) to clean up subdomain-scoped variants
3. Handles partitioned cookies by removing all existing variants (line 58)
4. Sets both cookies with explicit domain, expires, partitioned, sameSite, and secure attributes (lines 61-62)

This approach ensures proper cookie management across subdomains while maintaining backward compatibility.

---

33-44: No changes needed: the remove() wrapper already passes matching sameSite, secure, partitioned, and domain attributes in both removal calls.

Likely an incorrect or invalid review comment.

packages/clerk-js/src/core/auth/cookies/__tests__/session.test.ts (5)

6-6: LGTM: Mock setup for domain resolution.

The test properly mocks getCookieDomain to return a test domain, enabling verification of domain-aware cookie behavior.

Also applies to: 13-13, 20-20, 30-30

---

46-61: LGTM: Test validates domain attribute in non-cross-origin context.

The test correctly verifies that:

1. Two remove calls occur to clean up subdomain-scoped cookies (line 52)
2. Cookies are set with the domain attribute (line 55)
3. partitioned is false in non-cross-origin context (line 57)
4. sameSite is 'Lax' in non-cross-origin context (line 58)

---

63-75: LGTM: Test validates domain attribute in cross-origin context.

The test correctly verifies that cookies are set with:

1. Domain attribute (line 69)
2. partitioned false (line 71)
3. sameSite 'None' for cross-origin contexts (line 72)

---

77-83: LGTM: Test validates backward-compatible removal.

The test correctly verifies that remove() calls the underlying mockRemove four times:

• 2 calls with domain attribute for current cookies
• 2 calls without domain attribute for backward compatibility

---

85-127: LGTM: Comprehensive test validates full cookie lifecycle.

The test thoroughly validates the complete cookie lifecycle:

1. Lines 103-109: Verify set() includes domain and all attributes
2. Lines 117-118: Verify set() calls remove() twice without params to clean subdomain cookies
3. Lines 121-122: Verify remove() clears cookies with domain attribute (2 calls)
4. Lines 125-126: Verify remove() clears cookies without domain for backward compatibility (2 calls)

The test correctly accounts for 6 total mockRemove calls (2 during set() + 4 during remove()), ensuring both domain-aware and legacy cookie cleanup.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@6953

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@6953

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@6953

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@6953

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@6953

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@6953

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@6953

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@6953

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@6953

@clerk/express

npm i https://pkg.pr.new/@clerk/express@6953

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@6953

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@6953

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@6953

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@6953

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@6953

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@6953

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@6953

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@6953

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@6953

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@6953

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@6953

@clerk/types

npm i https://pkg.pr.new/@clerk/types@6953

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@6953

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@6953

commit: db12467