How can you delete a cookie in an HTTP response?

Question

What is the preferred way to instruct a browser to delete (or no longer use) an HTTP cookie issued for a given domain in an HTTP response?

(I understand you cannot force the browser to delete the cookie, but there must be a way to indicate that it is no longer valid and should not longer be sent)

Answer 1

Just set the cookie on exactly the same name, path and domain, but with an Expires value in the past. Optionally, set the value to null/empty-string, even if it's just to save the bandwidth, it's otherwise ignored anyway by the average client.

Note that setting on exactly the same path is important. Many starters fail in this by using only the same name and domain and relying on the current request URL for the default path.

From the RFC6265 spec:

Finally, to remove a cookie, the server returns a Set-Cookie header with an expiration date in the past. The server will be successful in removing the cookie only if the Path and the Domain attribute in the Set-Cookie header match the values used when the cookie was created.

Using Max-Age=0 will also work with any spec-compliant user agent, but the spec dictates that a server "SHOULD" not do this. Per https://www.rfc-editor.org/errata/eid3430, this is apparently meant to maximise interoperability with non-compliant user agents that only support positive Max-Age values.

Answer 2

You may set the time to 0 or anytime that has expired.

In PHP only you may use the following, but for your scenario you may only take from this the fact that the time is being manipulated

// Use the following for immediate elimination for current running server script unset($_COOKIE['cookiename']);   // In order to eliminate all together which involves notifying client-side. Expire time setcookie('cookiename', '', time() - 3600);