Reputation: 5933
How can I send a response that will delete all applicable cookies named X?
Let's say I'm running a Web application. Let's also say that I started noticing a really large cookie in my web logs—perhaps it was introduced by a third party library, via a hosted service on a subdomain, or via a bug in my code, etc.
The important detail here is that I don't actually know much about the cookie (and since cookies in a request don't give any details about the domain or path they were saved with, I can't easily find out), but I want to have a rule to delete it (either in my application or at some layer in front of my application).
What can I send back to the browser to delete that cookie regardless of the domain, subdomain, path, etc., it was originally set with? Is there any reasonably straightforward way to do it?
Experimenting locally, it seems like the SET-COOKIE header to delete a cookie must match both domain and path in order to effectively delete that cookie. But unless there's some way around that, that means there's no way I can delete the cookie other than by trial and error and checking my weblogs. Is there any way around this?
Upvotes: 1
Views: 293
Answers (1)
Reputation: 595349
You must provide the same domain and path attributes that were set on the original cookie. You can't avoid that, they are vital to the cookie storage model:
HTTP State Management Mechanism
4.1.2. Semantics (Non-Normative)
...
If the user agent receives a new cookie with the same cookie-name,
domain-value, and path-value as a cookie that it has already stored,
the existing cookie is evicted and replaced with the new cookie.
Notice that servers can delete cookies by sending the user agent a
new cookie with an Expires attribute with a value in the past.
...
5.3. Storage Model
...
When the user agent "receives a cookie" from a request-uri with name
cookie-name, value cookie-value, and attributes cookie-attribute-
list, the user agent MUST process the cookie as follows:
...
11. If the cookie store contains a cookie with the same name,
domain, and path as the newly created cookie:
1. Let old-cookie be the existing cookie with the same name,
domain, and path as the newly created cookie. (Notice that
this algorithm maintains the invariant that there is at most
one such cookie.)
2. If the newly created cookie was received from a "non-HTTP"
API and the old-cookie's http-only-flag is set, abort these
steps and ignore the newly created cookie entirely.
3. Update the creation-time of the newly created cookie to
match the creation-time of the old-cookie.
4. Remove the old-cookie from the cookie store.
12. Insert the newly created cookie into the cookie store.
...
The important detail here is that I don't actually know much about the cookie (and since cookies in a request don't give any details about the domain or path they were saved with, I can't easily find out)
The fact that you are receiving a cookie at all means the URL being requested must match the domain and path of the original Set-Cookie. So, you can issue a new Set-Cookie whose domain and path attributes match the current URL being requested, at a minimum. Of course, that will not delete the cookie if it is using a higher domain and/or path to allow for sub-domains and sub-paths. You would have to issue additional Set-Cookie headers for different combinations of domain/path wildcards that also match the current URL being requested.
For example, if the URL being requested is http://mysite.myserver.com/path/to/file, and you want to delete the somecookie cookie, you could issue Set-Cookie headers like this:
Set-Cookie: somecookie=; Domain=mysite.myserver.com; Path=/path/to/; Expires=Sun, 06 Nov 1994 08:49:37 GMT
Set-Cookie: somecookie=; Domain=mysite.myserver.com; Path=/path/; Expires=Sun, 06 Nov 1994 08:49:37 GMT
Set-Cookie: somecookie=; Domain=mysite.myserver.com; Path=/; Expires=Sun, 06 Nov 1994 08:49:37 GMT
Set-Cookie: somecookie=; Domain=myserver.com; Path=/path/to/; Expires=Sun, 06 Nov 1994 08:49:37 GMT
Set-Cookie: somecookie=; Domain=myserver.com; Path=/path/; Expires=Sun, 06 Nov 1994 08:49:37 GMT
Set-Cookie: somecookie=; Domain=myserver.com; Path=/; Expires=Sun, 06 Nov 1994 08:49:37 GMT
Not a perfect solution, but it is probably about as close as you are going to get without knowing the detail of the original cookie.
Upvotes: 1
Related Questions
- Correct way to delete cookies server-side
- Delete cookie by name?
- How can you delete a cookie in an HTTP response?
- How to delete cookie with HttpOnly using PHP or JS
- delete all cookies with specific string in name
- Delete cookies from http header?
- Delete all Cookies of browser using javascript
- Can javascript delete a cookie set by http header?
- How can I delete all cookies that the browser added during one request?
- Delete cookie from browser?