Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

*Really* deleting cookies with javascript

The way to delete cookies in javascript is to set the expiry date to be in the past. Now this doesn't actually delete the cookie, at least in Firefox. It just means the cookie will be deleted on browser close.

This is a problem for us: we have a product that involves archiving web pages from potentially many sites, with all this content stored on our server. And to make sure that pages render properly we include all js as well. However often cookies are set by js, and given that the page is cached on our server, these cookies are set under our domain.

So over time cookies from dozens of archived sites build up under our domain. And eventually the Cookie header exceeds the max content length, resulting in an HTTP 400 error code.

And because our clients are mostly in corporate environments they never reboot their machines or close their browsers: they can be left on for months. So this "soft" delete doesn't work, at least not reliably.

Is there any way to physically remove cookies intra-session in javscript? Or alternatively, is there any way to stop them being set?

like image 656
Richard H Avatar asked Jul 29 '11 16:07

Richard H


2 Answers

It's not possible. Period. I've been struggling with this for several weeks without finding a solution.

Whoever invented the cookie getter/setter should be %insert_painful_punishment_here%.

Particularly Internet Exploder is a beast when it comes to deleting cookies. I can't remember the exact issue, but I think it involved https and cookie names containing ;.

All I can offer is a workaround: Send a response body with your 400 response, something like 'please restart your browser'.

like image 110
user123444555621 Avatar answered Sep 30 '22 05:09

user123444555621


In addition to setting the expiration in the past, set the value to an empty string. This will at least reduce the size of the cookie immediately.

I would think that cookies should be deleted immediately in all browsers. For example, when I log out of a website, Firefox does not require me to close my browser to delete the cookie that shows that I am logged into the site. If this isn't happening, I suggest you look into Firefox bugs and possibly open a new one with them.

In the meantime, I'd look at my web server and see if it is possibly to set the max content length to something higher than it already is.

like image 36
gpojd Avatar answered Sep 30 '22 05:09

gpojd