Sending the same cookie value with ; expires
appended will not destroy the cookie.
Invalidate the cookie by setting an empty value and include an expires
field as well:
Set-Cookie: token=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Note that you cannot force all browsers to delete a cookie. The client can configure the browser in such a way that the cookie persists, even if it’s expired. Setting the value as described above would solve this problem.