If my application places HttpOnly cookies on a client and then needs to remove them how can you remove them completely?
A:
You can't reach out and delete cookies. You can take all the cookies, wipe out the data and make them expired though.
Wyatt Barnett
2010-10-07 22:24:36
well any example on this? because everything i tried so far seems to not actually change anything
Chris Marisic
2010-10-07 22:54:22
+4
A:
You can cause the cookie to expire when the user visits your website, for example:
HttpCookie expiredCookie = new HttpCookie(cookieName);
expiredCookie.Expires = DateTime.UtcNow.AddDays(-1);
Response.Cookies.Add(expiredCookie);
You'll have to do this for every cookie you want to be removed.
Waleed Eissa
2010-10-08 02:49:15
Note that you cna't truly destroy the cookie on the client. You can only ask the client to destroy the cookie and hope it behaves. Misbehavior could be a client bug or a user that copies the cookie out of the browser before the expiration, and copies it back after the expiry. If the cookie contains sensitive information (like your session id) you must invalidate the session on the server to ensure that it cannot be reused.
atk
2010-10-08 02:59:17
@atk, this is certainly correct, but I assumed he was looking for the normal way to remove the cookies. Of course, there's no guarantee that the cookies will be removed unless you have access to the client's computer. The only way to do this is to hack the computer of every visitor to your website :)
Waleed Eissa
2010-10-08 04:22:24
I had tried something equivalent to this and it didn't seem to work for me however doing independent verification on this clearly shows it does work and that the 3rd party component I was trying to clean up after must have been pushing the cookies back in after I tried to remove them.
Chris Marisic
2010-10-08 14:56:47