File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes Cookie will not die Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Cookie will not die" Watch "Cookie will not die" New topic

Cookie will not die

Garrett Smith
Ranch Hand

Joined: Jun 27, 2002
Posts: 401
What do I have to do to delete a cookie?
I tried:
The cookie is sent in the response and with the values I have sent, but the browser sends it back to the host on subsequent http requests. It seems the browser is reviving my cookie (?)
How to kill this cookie for good?

comp.lang.javascript FAQ:
Mayer Salzer

Joined: Apr 01, 2002
Posts: 20
I'm no expert on cookies, but I think I've had the same or similar situation where I'd expire a cookie and it would take a while for it to die. After fooling around with the system clock om my computer, I figured out that if the (client's) computer's time is running behind the server's, the cookie will still be alive and chirping, long after you buried it . . .
The reason for this is that you don't delete cookies, only expire them. When you code loginCookie.setMaxAge(0); all you're doing is setting the cookies expiration time to the current time on the server. If the client's computer is running slower, it won't realize that the cookie is supposed to be expired and it'll still get sent back on the next request . . .
However you can still identify these dead cookies (ghosts ???), by altering its contents the same time you're expiring it. In fact you're already doing that, loginCookie.setValue("");. Thus, even if you find the cookie in the clients request, if its value is blank you know it's dead . . .
Hope this helps . . . .
[ December 03, 2002: Message edited by: Mayer Salzer ]

Sun Certified Programmer for Java 2 Platform
chanoch wiggers
Ranch Hand

Joined: May 24, 2001
Posts: 245
another way to deal with this is to set the expiry date sufficiently in the past - say 30 days - to guarantee that it is deleted. I dont know any browser that has a problem with that.

chanoch<p><a href="" target="_blank" rel="nofollow">Author of Professional Apache Tomcat</a></p>
Thomas Hubschman
Ranch Hand

Joined: Sep 25, 2002
Posts: 88
You can also of course invalidate the session that the cookie is maintaining state for, then who cares if the cookie wont die!
Interface HttpSession
public void invalidate()
Invalidates this session then unbinds any objects bound to it.

SCJP '02, SCWCD '02, SCJD '08, SCSNB '09, SCEA '10
Mayer Salzer

Joined: Apr 01, 2002
Posts: 20
Setting the expiration date to the past (by passing a negative number to the 'setMaxAge' method) does not work the way you would expect it to. Instead, when you set the expiration date to any negative number, the cookie gets treated like a 'session cookie' which means it gets deleted (on the client's side) when the browser is closed - not before then. If the user doesn't close the browser the cookie is still alive and well. Try it yourself and see how it works.

Invalidating the session is a good solution if you're dealing with session cookies (tracks the session id for each session). However, we're talking about regular cookies. These things are used to maintain state long after the session is gone. They're totally independent of sessions. . .
Servin Park

Joined: May 10, 2002
Posts: 26
Use loginCookie.setMaxAge(1); instead of loginCookie.setMaxAge(0);
It was bothering me for a while and someone told me of this trick. try and let me know
Mayer Salzer

Joined: Apr 01, 2002
Posts: 20
Originally posted by Servin Park:

Use loginCookie.setMaxAge(1); instead of loginCookie.setMaxAge(0)

I tried it, it makes no difference . . . (it actually prolongs the life of the cookie for one more second). If the time on the clients computer is running behind the server, the cookie will still not be expired, until the client's clock catches up . . .
Garrett Smith
Ranch Hand

Joined: Jun 27, 2002
Posts: 401
I found that the problem only happens in Mozilla, so I filed a bugzilla report. It seems that they look for the expires part of the cookie, not the maxAge. Mozilla should look to maxAge first, and then expires. Instead it says "oh, expires= [a long time in the future], so let's keep the cookie," and does not even check the maxAge.
Cookies were developed by netscape. It's no wonder they're such a pain in the . myself carpal tunnel over someone else's bugs...

BTW, invalidating the session is not the way to delete cookies.
Garrett Smith
Ranch Hand

Joined: Jun 27, 2002
Posts: 401
Oh, this problem came back, or maybe never went away.
I notice in IE the problem is a little different.
1) login to checking "Auto Login"
2) logout calls (doGet)
3) quit browser
4) open browser
5) be automatically logged in. (should not happen).
After 2)Logout is run, the cookie is not deleted. I know this because I
can see the cookie:

javascript:alert(document_dot_cookie) // replace '_dot_' with '.'
The relevant lines of

An exception is thrown and printed to my browser if I uncomment this: // throw new ServletException(" login coookie deletion in process: "+ loginCookie);
javax.servlet.ServletException: login coookie deletion in process: javax.servlet.http.Coookie@2108e0
So the coookie exists. What am I doing wrong here? Why does deletion
[ December 21, 2002: Message edited by: Garrett Smith ]
I agree. Here's the link:
subject: Cookie will not die
jQuery in Action, 3rd edition