CODEWITHSUNDEEP
servletscookiesspring-mvc
Cruz
Cruz

Reputation: 681

Delete cookie from a servlet response

I would like to know how to delete a cookie in an HttpServletResponse in Spring MVC. I have the login method where I create the cookie and the logout where I want to delete it, but it doesn't work.

Here is the code:

@RequestMapping(method = RequestMethod.POST)
public ModelAndView Login(HttpServletResponse response, String user, String pass) {     
    if (user != null && pass != null && userMapper.Users.get(user).getPass().equals(pass)){
        Cookie cookie = new Cookie("user", user);
        cookie.setPath("/MyApplication");
        cookie.setHttpOnly(true);
        cookie.setMaxAge(3600);
        response.addCookie(cookie);
        Map model = new HashMap();
        model.put("user", user);
        return new ModelAndView("home", "model", model);
    }
    return new ModelAndView("login");
}

@RequestMapping(value="/logout", method = RequestMethod.POST)
public ModelAndView Logout(HttpServletRequest request, HttpServletResponse response) {     

        Cookie[] cookies = request.getCookies();
        for(int i = 0; i< cookies.length ; ++i){
            if(cookies[i].getName().equals("user")){
                //Cookie cookie = new Cookie("user", cookies[i].getValue());
                //cookie.setMaxAge(0);
                //response.addCookie(cookie);
                cookies[i].setMaxAge(0);
                response.addCookie(cookies[i]);
                break;
            }
        } 
        return new ModelAndView("login");
 }

I thought it was only needed to change the maxAge, but in the browser the cookie don't change. I even tried to rewrite a cookie with the same name in the commented block but it doesn't work either.

Upvotes: 45

Views: 87207

Answers (2)

BalusC
BalusC

Reputation: 1108632

Setting the maximum age to 0 is right. But it must have exactly the same other cookie properties, except of the value. Thus exactly the same domain, path, secure, etc. The value is optional, it can best be set to null.

So, given the way how you created the cookie,

Cookie cookie = new Cookie("user", user);
cookie.setPath("/MyApplication");
cookie.setHttpOnly(true);
cookie.setMaxAge(3600);
response.addCookie(cookie);

it needs to be removed as follows:

Cookie cookie = new Cookie("user", null); // Not necessary, but saves bandwidth.
cookie.setPath("/MyApplication");
cookie.setHttpOnly(true);
cookie.setMaxAge(0); // Don't set to -1 or it will become a session cookie!
response.addCookie(cookie);

That said, I'm not sure how it's useful to store the logged-in user as a cookie. You're basically also allowing the enduser to manipulate its value. Rather just store it as a session attribute instead and call session.invalidate() on logout.

Upvotes: 106

Dmytro
Dmytro

Reputation: 134

No need to use your own code. Just configure rememberMeServices bean that would create cookie while user' logging in with rememberMe option checked, and would delete it after logout.

Upvotes: -4

Related Questions