For my authentication process I create a unique token when a user logs in and put that into a cookie which is used for authentication.
So I would send something like this from the server:
Set-Cookie: token=$2a$12$T94df7ArHkpkX7RGYndcq.fKU.oRlkVLOkCBNrMilaSWnTcWtCfJC; path=/;
Which works on all browsers. Then to delete a cookie I send a similar cookie with the expires field set for January 1st 1970
Set-Cookie: token=$2a$12$T94df7ArHkpkX7RGYndcq.fKU.oRlkVLOkCBNrMilaSWnTcWtCfJC; path=/; expires=Thu, Jan 01 1970 00:00:00 UTC;
And that works fine on Firefox but doesn't delete the cookie on IE or Safari.
So what is the best way to delete a cookie (without JavaScript preferably)? The set-the-expires-in-the-past method seems bulky. And also why does this work in FF but not in IE or Safari?
Setting "expires" to a past date is the standard way to delete a cookie.
Your problem is probably because the date format is not conventional. IE probably expects GMT only.
At the time of my writing this answer, the accepted answer to this question appears to state that browsers are not required to delete a cookie when receiving a replacement cookie whose Expires value is in the past. That claim is false. Setting Expires to be in the past is the standard, spec-compliant way of deleting a cookie, and user agents are required by spec to respect it.
Using an Expires attribute in the past to delete a cookie is correct and is the way to remove cookies dictated by the spec. The examples section of RFC 6255 states:
Finally, to remove a cookie, the server returns a Set-Cookie header with an expiration date in the past. The server will be successful in removing the cookie only if the Path and the Domain attribute in the Set-Cookie header match the values used when the cookie was created.
The User Agent Requirements section includes the following requirements, which together have the effect that a cookie must be immediately expunged if the user agent receives a new cookie with the same name whose expiry date is in the past
If [when receiving a new cookie] the cookie store contains a cookie with the same name, domain, and path as the newly created cookie:
- ...
- ...
- Update the creation-time of the newly created cookie to match the creation-time of the old-cookie.
- Remove the old-cookie from the cookie store.
Insert the newly created cookie into the cookie store.
A cookie is "expired" if the cookie has an expiry date in the past.
The user agent MUST evict all expired cookies from the cookie store if, at any time, an expired cookie exists in the cookie store.
Points 11-3, 11-4, and 12 above together mean that when a new cookie is received with the same name, domain, and path, the old cookie must be expunged and replaced with the new cookie. Finally, the point below about expired cookies further dictates that after that is done, the new cookie must also be immediately evicted. The spec offers no wiggle room to browsers on this point; if a browser were to offer the user the option to disable cookie expiration, as the accepted answer suggests some browsers do, then it would be in violation of the spec. (Such a feature would also have little use, and as far as I know it does not exist in any browser.)
Why, then, did the OP of this question observe this approach failing? Though I have not dusted off a copy of Internet Explorer to check its behaviour, I suspect it was because the OP's Expires value was malformed! They used this value:
expires=Thu, Jan 01 1970 00:00:00 UTC;
However, this is syntactically invalid in two ways.
The syntax section of the spec dictates that the value of the Expires attribute must be a
rfc1123-date, defined in [RFC2616], Section 3.3.1
Following the second link above, we find this given as an example of the format:
Sun, 06 Nov 1994 08:49:37 GMT
and find that the syntax definition...
requires that dates be written in day month year format, not month day year format as used by the question asker.
Specifically, it defines rfc1123-date as follows:
rfc1123-date = wkday "," SP date1 SP time SP "GMT"
and defines date1 like this:
date1 = 2DIGIT SP month SP 4DIGIT
; day month year (e.g., 02 Jun 1982)
and
doesn't permit UTC as a timezone.
The spec contains the following statement about what timezone offsets are acceptable in this format:
All HTTP date/time stamps MUST be represented in Greenwich Mean Time (GMT), without exception.
What's more if we dig deeper into the original spec of this datetime format, we find that in its initial spec in https://tools.ietf.org/html/rfc822, the Syntax section lists "UT" (meaning "universal time") as a possible value, but does not list not UTC (Coordinated Universal Time) as valid. As far as I know, using "UTC" in this date format has never been valid; it wasn't a valid value when the format was first specified in 1982, and the HTTP spec has adopted a strictly more restrictive version of the format by banning the use of all "zone" values other than "GMT".
If the question asker here had instead used an Expires attribute like this, then:
expires=Thu, 01 Jan 1970 00:00:00 GMT;
then it would presumably have worked.
For GlassFish Jersey JAX-RS implementation I have resolved this issue by common method is describing all common parameters. At least three of parameters have to be equal: name(="name"), path(="/") and domain(=null) :
public static NewCookie createDomainCookie(String value, int maxAgeInMinutes) {
ZonedDateTime time = ZonedDateTime.now().plusMinutes(maxAgeInMinutes);
Date expiry = time.toInstant().toEpochMilli();
NewCookie newCookie = new NewCookie("name", value, "/", null, Cookie.DEFAULT_VERSION,null, maxAgeInMinutes*60, expiry, false, false);
return newCookie;
}
And use it the common way to set cookie:
NewCookie domainNewCookie = RsCookieHelper.createDomainCookie(token, 60);
Response res = Response.status(Response.Status.OK).cookie(domainNewCookie).build();
and to delete the cookie:
NewCookie domainNewCookie = RsCookieHelper.createDomainCookie("", 0);
Response res = Response.status(Response.Status.OK).cookie(domainNewCookie).build();
Use Max-Age=-1 rather than "Expires". It is shorter, less picky about the syntax, and Max-Age takes precedence over Expires anyway.
Source: Stackoverflow.com