Java cookies removed in firefox, but not in Google or IE

Question

I have the following code that is trying to remove some JSESSIONID cookies from my browser.

String[] cookieList = "/App1/,/App2/,/App3/".split(",");



for (int i = 0; i < cookieList.length; i++) {

     String cookiePathString = cookieList[i];
     response.setContentType("text/html");
     Cookie cookieToKill = new Cookie("JSESSIONID", "No Data");
     cookieToKill.setDomain(getCookieDomainName("myDomain.com"));
     cookieToKill.setMaxAge(0);
     cookieToKill.setPath(cookiePathString);
     cookieToKill.setComment("EXPIRING COOKIE at " + System.currentTimeMillis());
     response.addCookie(cookieToKill);
}

The code works fine in Firefox, and deletes the JSESSIONID. In Chrome and IE it does not. What do you have to do to expire these session cookies from IE and Chrome?

This is running in an Spring MVC Application on Tomcat running Java 7

Answer 1

Cookie is completely messed up.

The best practices for a server:

1. use Set-Cookie, not Set-Cookie2.
2. if there are multiple cookies, use a separate Set-Cookie header for each cookie.
3. use Expires, not Max-Age.
4. use the date format: Sun, 06 Nov 1994 08:49:37 GMT

For example:

Set-Cookie: JSESSIONID=NO_DATA; Path=/App1/; Domain=myDomain.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT

What I can recommend you to do:

1. Don't have spaces in cookie values.
2. Call cookie.setVersion(0);

If still no luck, forget the Cookie class, try set the http header manually

response.addHeader("Set-Cookie", 
    "JSESSIONID=NO_DATA; Path=/App1/; Domain=myDomain.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT");

Answer 2

This SO question indicates that the solution may be to call setHttpOnly(true).