Using maxAge: -1 to delete cookie

[Jimmy89]

Currently, when calling destroy on a cookie, the response contains the cookie with an empty value and no maxAge, changing it to a session cookie. However, it's still there and being sent to the server (meaningless, that's true).
The disadvantage of session cookies is that when users 'restore' their previous browser session the cookies stay there for a long time.

When you would have a lot of cookies being sent through the browser, debugging can become harder (logging all cookies) and well, you didn't destroy the cookie for nothing, right?
Secondly, theoretically speaking a browser could choose to not send all cookies or delete low priority cookies, because of the total size of all 'deleted' cookies with (the default) medium priority, according to spec https://datatracker.ietf.org/doc/html/draft-west-cookie-priority-00#section-4.1.

If you set the response to maxAge: -1 the cookie is being deleted from the cookie jar instantly, which would prevent any issues.
Secondly, you could add priority: "low" in the cookie response, which would prevent any overrides or unwanted behavior in case the maxAge: -1 is not being respected.

[vvo]

@Jimmy89 These are all good ideas, feel free to open a PR to allow for maxAge: -1 handling 👍