Correct way to delete cookies server-side

Question

For my authentication process I create a unique token when a user logs in and put that into a cookie which is used for authentication   So I would send something like this from the server   Set-Cookie  token  2a 12 T94df7ArHkpkX7RGYndcq fKU oRlkVLOkCBNrMilaSWnTcWtCfJC  path      Which works on all browsers  Then to delete a cookie I send a similar cookie with the expires field set for January 1st 1970  Set-Cookie  token  2a 12 T94df7ArHkpkX7RGYndcq fKU oRlkVLOkCBNrMilaSWnTcWtCfJC  path    expires Thu  Jan 01 1970 00 00 00 UTC     And that works fine on Firefox but doesn t delete the cookie on IE or Safari   So what is the best way to delete a cookie  without JavaScript preferably   The set-the-expires-in-the-past method seems bulky  And also why does this work in FF but not in IE or Safari

User · Answer

Use    Max-Age -1 rather than  Expires   It is shorter  less picky about the syntax  and Max-Age takes precedence over Expires anyway

User · Answer

For GlassFish Jersey JAX-RS implementation I have resolved this issue by common method is describing all common parameters  At least three of parameters have to be equal  name   name    path       and domain  null     public static NewCookie createDomainCookie String value  int maxAgeInMinutes        ZonedDateTime time   ZonedDateTime now   plusMinutes maxAgeInMinutes       Date expiry   time toInstant   toEpochMilli        NewCookie newCookie   new NewCookie  name   value       null  Cookie DEFAULT VERSION null  maxAgeInMinutes 60  expiry  false  false       return newCookie      And use it the common way to set cookie    NewCookie domainNewCookie   RsCookieHelper createDomainCookie token  60   Response res   Response status Response Status OK  cookie domainNewCookie  build      and to delete the cookie   NewCookie domainNewCookie   RsCookieHelper createDomainCookie     0   Response res   Response status Response Status OK  cookie domainNewCookie  build

User · Answer

At the time of my writing this answer  the accepted answer to this question appears to state that browsers are not required to delete a cookie when receiving a replacement cookie whose Expires value is in the past  That claim is false  Setting Expires to be in the past is the standard  spec-compliant way of deleting a cookie  and user agents are required by spec to respect it   Using an Expires attribute in the past to delete a cookie is correct and is the way to remove cookies dictated by the spec  The examples section of RFC 6255 states      Finally  to remove a cookie  the server returns a Set-Cookie header      with an expiration date in the past   The server will be successful      in removing the cookie only if the Path and the Domain attribute in      the Set-Cookie header match the values used when the cookie was      created    The User Agent Requirements section includes the following requirements  which together have the effect that a cookie must be immediately expunged if the user agent receives a new cookie with the same name whose expiry date is in the past        If  when receiving a new cookie  the cookie store contains a cookie with the same name  domain  and path as the newly created cookie                      Update the creation-time of the newly created cookie to match the creation-time of the old-cookie    Remove the old-cookie from the cookie store       Insert the newly created cookie into the cookie store          A cookie is  expired  if the cookie has an expiry date in the past       The user agent MUST evict all expired cookies from the cookie store      if  at any time  an expired cookie exists in the cookie store    Points 11-3  11-4  and 12 above together mean that when a new cookie is received with the same name  domain  and path  the old cookie must be expunged and replaced with the new cookie  Finally  the point below about expired cookies further dictates that after that is done  the new cookie must also be immediately evicted  The spec offers no wiggle room to browsers on this point  if a browser were to offer the user the option to disable cookie expiration  as the accepted answer suggests some browsers do  then it would be in violation of the spec   Such a feature would also have little use  and as far as I know it does not exist in any browser    Why  then  did the OP of this question observe this approach failing  Though I have not dusted off a copy of Internet Explorer to check its behaviour  I suspect it was because the OP s Expires value was malformed  They used this value   expires Thu  Jan 01 1970 00 00 00 UTC    However  this is syntactically invalid in two ways   The syntax section of the spec dictates that the value of the Expires attribute must be a     rfc1123-date  defined in  RFC2616   Section 3 3 1   Following the second link above  we find this given as an example of the format   Sun  06 Nov 1994 08 49 37 GMT   and find that the syntax definition      requires that dates be written in day month year format  not month day year format as used by the question asker   Specifically  it defines rfc1123-date as follows   rfc1123-date   wkday     SP date1 SP time SP  GMT    and defines date1 like this   date1          2DIGIT SP month SP 4DIGIT                day month year  e g   02 Jun 1982     and   doesn t permit UTC as a timezone   The spec contains the following statement about what timezone offsets are acceptable in this format      All HTTP date time stamps MUST be represented in Greenwich Mean Time  GMT   without exception    What s more if we dig deeper into the original spec of this datetime format  we find that in its initial spec in https   tools ietf org html rfc822  the Syntax section lists  UT   meaning  universal time   as a possible value  but does not list not UTC  Coordinated Universal Time  as valid  As far as I know  using  UTC  in this date format has never been valid  it wasn t a valid value when the format was first specified in 1982  and the HTTP spec has adopted a strictly more restrictive version of the format by banning the use of all  zone  values other than  GMT     If the question asker here had instead used an Expires attribute like this  then   expires Thu  01 Jan 1970 00 00 00 GMT    then it would presumably have worked

User · Answer

Setting  expires  to a past date is the standard way to delete a cookie   Your problem is probably because the date format is not conventional  IE probably expects GMT only

User · Answer

Sending the same cookie value with   expires appended will not destroy the cookie   Invalidate the cookie by setting an empty value and include an expires field as well   Set-Cookie  token deleted  path    expires Thu  01 Jan 1970 00 00 00 GMT   Note that you cannot force all browsers to delete a cookie  The client can configure the browser in such a way that the cookie persists  even if it s expired  Setting the value as described above would solve this problem

[http] Correct way to delete cookies server-side

Examples related to http

Examples related to cookies