Calling setcookie(..) with expires=0 does not set expires to the epoch time on the client.
To delete a cookie client side, conventional wisdom is to set expires to the epoch time: http://stackoverflow.com/questions/5285940/correct-way-to-delete-cookies-server-side When setting expires=0 in setcookie, modules/lua/lua_requests.c lua_set_cookie() function skips adding the expires field to the cookie in Set-Cookie header sent back to client. The fix is pretty simple, time zero should be the epoch anyway? -Mark