Can't set or delete cookies if you also throw an error or redirect

[kevinrenskers]

Describe the bug

When you call an internal endpoint to set or delete a cookie, this doesn't work if you also throw an error or redirect afterwards.

Reproduction

https://github.com/kevinrenskers/sk-cookie-problem.

When you first open the homepage there is a button to login, it just sets a cookie. Then refresh the website. The cookie should be deleted and then it should redirect, but instead the cookie isn't deleted and that causes an endless redirect loop.

When you remove the throw, the cookie does get deleted. It seems that for some reason the cookie isn't deleted if you throw something as well. Same goes if you throw an error, not only when you throw a redirect.

Logs

No response

System Info

System:
    OS: macOS 12.6
    CPU: (10) arm64 Apple M1 Max
    Memory: 1.34 GB / 32.00 GB
    Shell: 3.5.1 - /opt/homebrew/bin/fish
  Binaries:
    Node: 16.17.0 - ~/Library/pnpm/node
    npm: 8.15.0 - ~/Library/pnpm/npm
  Browsers:
    Safari: 16.0
  npmPackages:
    @sveltejs/adapter-auto: next => 1.0.0-next.73
    @sveltejs/kit: next => 1.0.0-next.481
    svelte: ^3.44.0 => 3.50.1
    vite: ^3.1.0 => 3.1.0

Severity

blocking an upgrade

Additional Information

This is blocking me from handling 401 errors. What I need to do is remove the token cookie and redirect the user back to the safety of the homepage, but I can either delete the cookie or redirect, not both.

[benmccann]

The latest release has a number of fixes related to cookies (#6811). Can you confirm whether this is still an issue with the latest version?

[kevinrenskers]

This is still an issue.

[dummdidumm]

This works as expected, it can't work like this. You're doing a fetch inside your load function, which creates a new request, and on that response the cookies are set (or unset). But nothing is done with the response, cookies are not forwarded to the original response, so the cookies get "lost".
Btw if you use the fetch that the load function provides you can use the relative url as expected.

[kevinrenskers]

I'm kind of shocked that this is expected to simply not work. So here's the scenario: in my root +layout.ts file, I see if there is a token (which is stored in a cookie). If there is, I do a request to my (external) backend to fetch the user details. If that request fails because the token is invalid, I want to delete the cookie and redirect the user. But you're saying this is not possible at all.

Can you suggest any workarounds?

[dummdidumm]

Reopening, since when using the fetch function provided to load, cookies are forwarded, but that doesn't happen during redirect.

[kevinrenskers]

I've updated my example repro to use the provided fetch function, and yeah I actually used the provided function in my real world app as well.