For my authentication process I use py-bcrypt to create a unique token when a user logs in and put that into a cookie which is used for authentication.
So I would send something like this from the server:
Set-Cookie: token=$2a$12$T94df7ArHkpkX7RGYndcq.fKU.oRlkVLOkCBNrMilaSWnTcWtCfJC; path=/;
Set-Cookie: token=$2a$12$T94df7ArHkpkX7RGYndcq.fKU.oRlkVLOkCBNrMilaSWnTcWtCfJC; path=/; expires=Thu, Jan 01 1970 00:00:00 UTC;
Sending the same cookie value with
; expires appended is a bad idea since you want the contents to be destroyed.
A better idea would be invalidating the cookie by setting the value to
rubbish empty and include an
expires field as well:
Set-Cookie: token=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Note that you cannot force all browsers to delete a cookie. The client can configure the browser in such a way that the cookie persists, even if it's expired. Setting the value as described above would solve this problem.