Menu
For my authentication process I create a unique token when a user logs in and put that into a cookie which is used for authentication.
So I would send something like this from the server:
Set-Cookie: token=$2a$12$T94df7ArHkpkX7RGYndcq.fKU.oRlkVLOkCBNrMilaSWnTcWtCfJC; path=/; Which works on all browsers. Then to delete a cookie I send a similar cookie with the expires field set for January 1st 1970
Set-Cookie: token=$2a$12$T94df7ArHkpkX7RGYndcq.fKU.oRlkVLOkCBNrMilaSWnTcWtCfJC; path=/; expires=Thu, Jan 01 1970 00:00:00 UTC; And that works fine on Firefox but doesn't delete the cookie on IE or Safari.
So what is the best way to delete a cookie (without JavaScript preferably)? The set-the-expires-in-the-past method seems bulky. And also why does this work in FF but not in IE or Safari?
968
Cookies are stored in the client's browser with a timeout after which they are deleted. Upon every HTTP request to the server, they are sent to the server automatically. The cookie is usually set by the server, not the client (but it's possible).
Cookies are client-side files that are stored on a local computer and contain user information. Sessions are server-side files that store user information. Cookies expire after the user specified lifetime. The session ends when the user closes the browser or logs out of the program.
cookies are always client-side. Session cookies are stored on the client machine and at a minimum contain a reference to the session Id. If a server has a cookie it's because it's acting as a client. You can add cookies with JavaScript or from the server, that's probably what they mean by client vs server cookies.
Sending the same cookie value with ; expiresappended will not destroy the cookie. Invalidate the cookie by setting an empty value and include an expiresfield as well: Set-Cookie: token=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Note that you cannot force all browsers to delete a cookie.
Note that you cannot force all browsers to delete a cookie. The client can configure the browser in such a way that the cookie persists, even if it's expired. Setting the value as described above would solve this problem. Share Improve this answer Follow edited Sep 20 '17 at 22:59
web servers instruct the client to store a cookie by issuing a special HTTP header, "Set-Cookie". once cookied, every subsequent request by the client to that server will include the HTTP header, "Cookie" with the data that was stored. by default, cookies are deleted when the user quits the browser.
Related: some people may wonder why their cookies do not get removed even after sending this header. In that case, have a look at cookies from other domains. For example, after deleting foo=bar; domain=www.example.com, an other cookie foo=qux; domain=.example.comwill be used. – Lekensteyn
Sending the same cookie value with ; expires appended will not destroy the cookie.
Invalidate the cookie by setting an empty value and include an expires field as well:
Set-Cookie: token=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Note that you cannot force all browsers to delete a cookie. The client can configure the browser in such a way that the cookie persists, even if it's expired. Setting the value as described above would solve this problem.
72
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
