CODEWITHSUNDEEP
c#asp.net-mvccookies
Natalie Perret
Natalie Perret

Reputation: 9047

Response cookie not really setup?

I am storing the user email in a cookie (depending on the state of Remember Me checkbox on a login page) with the two simple methods below:

    private void UpdateEmailCookie(LoginModel loginModel)
    {
        if (loginModel.RememberMe.GetValueOrDefault())
        {
            if (Response.Cookies[EmailCookieName] == null)
            {
                var httpCookie = new HttpCookie(EmailCookieName, loginModel.Email);
                Response.Cookies.Add(httpCookie);
            }
            else
            {
                Response.Cookies[EmailCookieName].Value = loginModel.Email;
            }
        }
        else
        {
            Response.Cookies.Remove(EmailCookieName);
        }
    }

    private void LoadEmailCookie(LoginModel loginModel)
    {
        if (Request.Cookies[EmailCookieName] != null)
        {
            loginModel.Email = Request.Cookies[EmailCookieName].Value;
            loginModel.RememberMe = true;
        }
        else
        {
            loginModel.Email = null;
            loginModel.RememberMe = false;
        }
    }

Respectively used in:

    // GET: /Account/Login
    [AllowAnonymous]
    [HttpGet]
    public ActionResult Login()
    {
        if (Request.IsAuthenticated)
        {
            return RedirectToAction("Index", "Home");
        }

        var loginModel = new LoginModel();

        LoadEmailCookie(loginModel);

        return View(loginModel);
    }

and 

    // POST: /Account/Login
    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public async Task<ActionResult> Login(LoginModel loginModel, string returnUrl)
    {
         [Code for validating the email and password]
         [If valid it goes below]

         UpdateEmailCookie(loginModel);

         await SignInManager.SignInAsync(user, false, true);

         return RedirectToLocal(returnUrl);
    }

It seems fine when the user has decided to let application remember its password, however when he or she unchecks the box (and hence sets the RememberMe to false), it appears that email is still saved in the cookies and therefore still show up when the view is loaded.

Any idea why my cookie keeps the information while the call to Response.Cookies.Remove(EmailCookieName); has actually occurred.

[EDIT] As mentioned in the accepted answer, I didn't set the Expires property which is basically that oddity telling whether the cookie should be deleted or not. Additionally there is no need to check against null on the cookies collection... imho the design a bit counterintuitive, seems a lot of people expect to delete the cookie while they needed to makes it expired.

My working solution:

    private void UpdateEmailCookie(LoginModel loginModel)
    {
        if (loginModel.RememberMe.GetValueOrDefault())
        {
            Response.Cookies[EmailCookieName].Value = loginModel.Email;
            Response.Cookies[EmailCookieName].Expires = DateTime.Now.AddYears(1);
        }
        else
        {
            Response.Cookies[EmailCookieName].Expires = DateTime.MinValue;
        }
    }

    private void LoadEmailCookie(LoginModel loginModel)
    {
        if (!string.IsNullOrEmpty(Request.Cookies[EmailCookieName]?.Value))
        {
            loginModel.Email = Request.Cookies[EmailCookieName].Value;
            loginModel.RememberMe = true;
        }
        else
        {
            loginModel.Email = null;
            loginModel.RememberMe = false;
        }
    }

Upvotes: 0

Views: 34

Answers (1)

Leo M
Leo M

Reputation: 123

You are only removing the cookie from your side but the user's browser still have it. In addition to what you are doing, you should make the cookie expire.

Upvotes: 1

Related Questions