What do I have to do to delete a cookie? I tried: loginCookie.setMaxAge(0); loginCookie.setValue(""); response.addCookie(loginCookie); The cookie is sent in the response and with the values I have sent, but the browser sends it back to the host on subsequent http requests. It seems the browser is reviving my cookie (?) How to kill this cookie for good?
I'm no expert on cookies, but I think I've had the same or similar situation where I'd expire a cookie and it would take a while for it to die. After fooling around with the system clock om my computer, I figured out that if the (client's) computer's time is running behind the server's, the cookie will still be alive and chirping, long after you buried it . . . The reason for this is that you don't delete cookies, only expire them. When you code loginCookie.setMaxAge(0); all you're doing is setting the cookies expiration time to the current time on the server. If the client's computer is running slower, it won't realize that the cookie is supposed to be expired and it'll still get sent back on the next request . . . However you can still identify these dead cookies (ghosts ???), by altering its contents the same time you're expiring it. In fact you're already doing that, loginCookie.setValue("");. Thus, even if you find the cookie in the clients request, if its value is blank you know it's dead . . . Hope this helps . . . . [ December 03, 2002: Message edited by: Mayer Salzer ]
another way to deal with this is to set the expiry date sufficiently in the past - say 30 days - to guarantee that it is deleted. I dont know any browser that has a problem with that.
chanoch<p><a href="http://www.amazon.com/exec/obidos/ASIN/1861007736/" target="_blank" rel="nofollow">Author of Professional Apache Tomcat</a></p>
Garrett, You can also of course invalidate the session that the cookie is maintaining state for, then who cares if the cookie wont die! javax.servlet.http Interface HttpSession public void invalidate() Invalidates this session then unbinds any objects bound to it.
Chanoch, Setting the expiration date to the past (by passing a negative number to the 'setMaxAge' method) does not work the way you would expect it to. Instead, when you set the expiration date to any negative number, the cookie gets treated like a 'session cookie' which means it gets deleted (on the client's side) when the browser is closed - not before then. If the user doesn't close the browser the cookie is still alive and well. Try it yourself and see how it works.
Thomas, Invalidating the session is a good solution if you're dealing with session cookies (tracks the session id for each session). However, we're talking about regular cookies. These things are used to maintain state long after the session is gone. They're totally independent of sessions. . .
Hello, Use loginCookie.setMaxAge(1); instead of loginCookie.setMaxAge(0); It was bothering me for a while and someone told me of this trick. try and let me know
Use loginCookie.setMaxAge(1); instead of loginCookie.setMaxAge(0)
I tried it, it makes no difference . . . (it actually prolongs the life of the cookie for one more second). If the time on the clients computer is running behind the server, the cookie will still not be expired, until the client's clock catches up . . .
I found that the problem only happens in Mozilla, so I filed a bugzilla report. It seems that they look for the expires part of the cookie, not the maxAge. Mozilla should look to maxAge first, and then expires. Instead it says "oh, expires= [a long time in the future], so let's keep the cookie," and does not even check the maxAge. Cookies were developed by netscape. It's no wonder they're such a pain in the . ...giving myself carpal tunnel over someone else's bugs...
BTW, invalidating the session is not the way to delete cookies.
Oh, this problem came back, or maybe never went away. I notice in IE the problem is a little different. Case: 1) login to dhtmlkitchen.com checking "Auto Login" 2) logout calls Logout.java (doGet) 3) quit browser 4) open browser 5) be automatically logged in. (should not happen). After 2)Logout is run, the cookie is not deleted. I know this because I can see the cookie:
javascript:alert(document_dot_cookie) // replace '_dot_' with '.' The relevant lines of Logout.java:
An exception is thrown and printed to my browser if I uncomment this: // throw new ServletException("Logout.java login coookie deletion in process: "+ loginCookie); javax.servlet.ServletException: Logout.java login coookie deletion in process: javax.servlet.http.Coookie@2108e0 So the coookie exists. What am I doing wrong here? Why does deletion fail? [ December 21, 2002: Message edited by: Garrett Smith ]