CODEWITHSUNDEEP
c#asp.net-coreiissession-cookies
santipianis
santipianis

Reputation: 151

.net core 3.1 cannot delete cookies

I have web app based on .net core3.1 and iis server. For some reason, I cannot delete cookies on logout. I tried Response.Cookies.Delete(cookie.Key); and Response.Cookies.Append(cookie.Key, "", options); with options.Expires = DateTime.Now.AddDays(-1) and options.MaxAge = new TimeSpan(0);, but this still doesnt work.

The problem does not appear when I run the project on localhost.

My configuration in startup.cs file.

ConfigureServices:

services.Configure<CookiePolicyOptions>(options =>
{
    // This lambda determines whether user consent for non-essential cookies is needed for a given request.
    options.CheckConsentNeeded = context => true;
    options.MinimumSameSitePolicy = SameSiteMode.None;
});

services.AddSession(options =>
{
    options.IdleTimeout = TimeSpan.FromMinutes(15);
    options.Cookie.IsEssential = true;
    options.Cookie.Name = "b2bApp";
});
services.ConfigureApplicationCookie(options =>
{
    // Cookie settings
    options.Cookie.HttpOnly = true;
    options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
    options.Cookie.SameSite = SameSiteMode.Strict;
    options.Cookie.IsEssential = true;
    options.Cookie.Name = "b2bApp";
    options.ExpireTimeSpan = TimeSpan.FromMinutes(15);
    options.LoginPath = "/Identity/Account/Login";
    options.AccessDeniedPath = "/Identity/Account/AccessDenied";
    options.SlidingExpiration = true;
});

Configure:

app.UseCookiePolicy();
app.UseSession();

Upvotes: 10

Views: 10586

Answers (4)

Fatih &#199;elik
Fatih &#199;elik

Reputation: 531

Response.Cookies.Delete does not work unless you use the same options (CookieOptions) as you did during creation of the cookie you're trying to delete.

For example if you created the cookie with these options, you need to remove with same except 'Expires':

new Microsoft.AspNetCore.Http.CookieOptions
{ 
    Expires = DateTime.Now.AddHours(120), 
    Path = "/", 
    HttpOnly = true, 
    Secure = this.Request.IsHttps, 
    IsEssential = true 
}

Upvotes: 5

Michael
Michael

Reputation: 864

@JayHandle's response was the closest to get it to work. Created an empty cookie with all the flags matching the cookie to kill and expired it. Cookies.Delete prevented it from working for me:

context.Response.Cookies.Append("cookie-name", string.Empty, new CookieOptions
                    {
                        Path = context.Request.PathBase, // needed if running under virtual directory
                        Secure = true,
                        Expires = DateTimeOffset.UtcNow.AddDays(-2),
                        IsEssential = true,
                        SameSite = SameSiteMode.Lax // Match the same site settings of the cookie
                    });

Upvotes: 0

JayHandle
JayHandle

Reputation: 186

So to my understanding, Response.Cookies.Delete("key") only sets an expire date for the cookie to be deleted, but doesn't actually delete it. So here is a workaround that I do. I first delete the data in the cookie, that way if the cookie is used, it wont matter because there is nothing in it, then delete it.

public void RemoveCookie(string key)
{
    //Erase the data in the cookie
    CookieOptions option = new CookieOptions();
    option.Expires = DateTime.Now.AddDays(-1);
    option.Secure = true;
    option.IsEssential = true;
    Response.Cookies.Append(key, string.Empty, option);
    //Then delete the cookie
    Response.Cookies.Delete(key);
}

Upvotes: 4

DrTiBiBo
DrTiBiBo

Reputation: 101

Try the following code:

Response.Cookies.Delete("CookieName", new CookieOptions()
{
    Secure = true,
});

In order to delete a SameSite=None cookie, the replacement cookie with the expiry date in the past also needs to have the Secure flag set. If that is not the case, the cookie won't be deleted (as in: the replacement cookie won't be accepted by Chrome).

Reference: How To Correctly Delete Your SameSite Cookies In Chrome (80+)

Upvotes: 7

Related Questions