From 51d61b8f6973cc95cce394118649e1369f92201f Mon Sep 17 00:00:00 2001
From: Chris Preisinger <christopher.preisinger@gsa.gov>
Date: Mon, 14 Oct 2024 00:40:49 -0400
Subject: [PATCH] 56 Add secure and domain to cookie deletion

---
 lib/web/controllers/session_controller.ex | 5 ++++-
 lib/web/endpoint.ex                       | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/web/controllers/session_controller.ex b/lib/web/controllers/session_controller.ex
index 982c777ff..b78df9e2e 100644
--- a/lib/web/controllers/session_controller.ex
+++ b/lib/web/controllers/session_controller.ex
@@ -181,6 +181,9 @@ defmodule Web.SessionController do
   end
 
   defp clear_rails_session(conn) do
-    delete_resp_cookie(conn, "_challenge_platform_key")
+    domain = Application.get_env(:challenge_gov, :session_cookie_domain)
+    secure = Mix.env() != :dev
+
+    delete_resp_cookie(conn, "_challenge_platform_key", domain: domain, secure: secure)
   end
 end
diff --git a/lib/web/endpoint.ex b/lib/web/endpoint.ex
index 2b76e519e..6d14c5ec4 100644
--- a/lib/web/endpoint.ex
+++ b/lib/web/endpoint.ex
@@ -12,6 +12,7 @@ defmodule Web.Endpoint do
     store: :cookie,
     key: "_challenge_gov_key",
     domain: Application.compile_env(:challenge_gov, :session_cookie_domain),
+    secure: Mix.env() != :dev,
     same_site: "Lax",
     signing_salt: "+S7HWPoL"
   ]