Delete cookie from browsers

Question

0.00/5 (No votes)

See more:

I am trying to delete cookies from the browser at log out, but when testing with the old session id .AspNet.ApplicationCookie. It still remains.
The code i have added to the log out is

C#

if (System.Web.HttpContext.Current != null)
            {
                HttpCookie aCookie;
                string cookieName;
                int limit = Request.Cookies.Count;
                for (int i = 0; i < limit; i++)
                {
                    cookieName = Request.Cookies[i].Name;
                    aCookie = new HttpCookie(cookieName);
                    aCookie.Expires = DateTime.Now.AddDays(-1d);
                    Response.Cookies.Add(aCookie);
                }
            }
            System.Web.HttpContext.Current.Session.Abandon();
            Response.Cookies.Clear();
            System.Web.HttpContext.Current.Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

What I have tried:

I have tried setting the name to null

C#

<pre>cookieName = Request.Cookies[i].Name = null;

and setting the value to null

C#

<pre>aCookie.Value = null;

Posted 13-Aug-18 0:30am

JakeFront

Updated 13-Aug-18 2:54am

Add a Solution

5 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

F-ES Sitecore · Answer 1 · 2018-08-13T00:44:00

You specify the new cookies with their settings and then you call Response.Cookies.Clear() so all of your amends are undone.

ASP.net will re-use the session id, if that's a problem because you are using the session id somewhere in your code then the solution is to change your code to not use the session id but to use something else.

JakeFront · Answer 2 · 2018-08-13T01:08:00

It doesn't matter if i call

Response.Cookies.Clear()

at the start or the end. It has no effect.

if (System.Web.HttpContext.Current != null)
{
    System.Web.HttpContext.Current.Session.Clear();
    System.Web.HttpContext.Current.Session.Abandon();
    System.Web.HttpContext.Current.Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
    HttpCookie aCookie;
    string cookieName;
    int limit = Request.Cookies.Count;
    for (int i = 0; i < limit; i++)
    {
        cookieName = Request.Cookies[i].Name;
        aCookie = new HttpCookie(cookieName);
        aCookie.Expires = DateTime.Now.AddDays(-1);
        Response.Cookies.Add(aCookie);
    }
}

And by the session ID i guess you are talking about

ASP.NET_SessionId

I am trying to delete the <pre>.AspNet.ApplicationCookie

JakeFront · Answer 3 · 2018-08-13T02:25:00

Solution 3

I have already tried leaving that out too. The same thing happens. The

AspNet.ApplicationCookie

session is still valid after setting the expiry to 1 day earlier and not calling the Clear at all.

Posted 13-Aug-18 2:25am

JakeFront

Dave Kreskowiak · Answer 4 · 2018-08-13T02:27:00

This isn't going to work. This code runs entirely on the server-side. So, if the user actually clicks the "Logout" button, you've got a chance to overwrite the cookies.

The far bigger problem is users seldom ever click "Logout". They just close the browser. Your code will never be called and the cookies will not be cleared out or replaced.

So, what happens tomorrow when the user logs back in again? They'll have an entirely new session withe a different session ID, but the cookie session ID isn't going to match. Now you've got a huge problem.

NEVER save the session ID in a cookie on the client-side.

JakeFront · Answer 5 · 2018-08-13T02:54:00

Solution 5

The cookie is only available for the session. Closing the browser down will close the session and therefore expire the cookies. If they login tomorrow, they will have log back in
So what is the resolution from a security stand point? If they logout or close the browser then they will have to login again, rather than an attacker high jacking the session.

Posted 13-Aug-18 2:54am

JakeFront

Comments

Dave Kreskowiak 13-Aug-18 9:10am

First, you posted this as an answer to your own question.

Next, closing the browser does NOT close the session. The session has to expire on the server before it's closed. The session "remaining time to live" is reset with every access from the web browser.

The browser also does not kill cookies on close by default. You have to enable this option in the browser settings. This is not typically done.

JakeFront 13-Aug-18 10:32am

Yeah, sorry. i've been pressing the wrong button.
With regards to the cookie. This is all new to me about cookies and sessions. The security audit says we need to mitigate the possibility of reusing the old expired session ID in a new request. I've looked around and found the code above from a number of sites, but when this is put into the firefox, using cookie manager with the old session id, it doesn't redirect to the login page on a refresh.
I was hoping someone may have come across the same sort of issue.

Delete cookie from browsers

5 solutions

Solution 1

Solution 2

Solution 3

Solution 4

Solution 5

Add your solution here

Preview 0