0

I'm trying to remove a cookie in a GWT application that I have. I first tried using Cookies.removeCookie, but it didn't seem to have any effect. I'm fairly certain this is because removeCookie doesn't let you specify the domain and path.

I'm trying now by setting the cookie to expire at the epoch time, but when I check in chrome's dev tools, the cookie's expiry time is set to "Session", it's not removed immediately as I expected.

Here's what I'm using. I'm using the same parameters I used when I set the cookie, the only difference is the value and the date.

boolean secureCookie = "https:".equalsIgnoreCase(Window.Location.getProtocol());
Cookies.setCookie("cookieName", "", new Date(0), null, "/", secureCookie);
Daenyth
  • 35,856
  • 13
  • 85
  • 124
  • Any chance the cookie is set as http-only? If so, your GWT client app won't be allowed to modify or remove it. – Colin Alworth Apr 26 '12 at 17:01
  • @ColinAlworth: Can you clarify? I'm not certain what you're asking (might be my inexperience in this area). The cookie is set as a secure cookie, if that's what you mean. – Daenyth Apr 27 '12 at 04:39
  • Secure means it will only be sent to clients that are using it with https - but the browser's js will still have access to it. In contrast, Http-only is a way to protect from possible session hijacking by preventing the JS app from being able to read it at all, and from being able to change it. Consider posting how you are setting the cookie in the first place so we've got more information to go off of. – Colin Alworth Apr 27 '12 at 13:56
  • @ColinAlworth: I'm setting the cookie with the same two lines, but with a different value and `new Date(System.currentTimeMillis() + 1000 *60*60*24)` – Daenyth Apr 27 '12 at 15:34

1 Answers1

0

Seems like in

boolean secureCookie = "https:".equalsIgnoreCase(Window.Location.getProtocol());

you have a stray : after "https" (since Window.Location.getProtocol() will presumably return "https", not "https:".) So, you are failing to set the cookie as "secure", and the result is quite expected.

Alexander Pavlov
  • 31,598
  • 5
  • 67
  • 93
  • That's not true. Looking in chrome's dev tools shows that the cookie is indeed set as secure. Even if it were not secure, how is it expected to set expiry time to Session rather than the date I specify? – Daenyth May 07 '12 at 15:35
  • Could it be an effect of the original cookie setting? Looking at [this GWT test code](http://code.google.com/p/gwt-test-utils/source/browse/src/framework/branches/gwt-test-utils-0.25-branch/gwt-test-utils/src/test/java/com/octo/gwt/test/LocationTest.java?spec=svn1205&r=1205#17), I'm seeing the line `assertEquals("http", Location.getProtocol());` - no trailing colons...) – Alexander Pavlov May 07 '12 at 15:38
  • I can double check, but the cookie is being set the same way both times - so the parameter would be the same. Edit: Checked again, the cookie is being added as "secure". – Daenyth May 07 '12 at 15:41
  • OK, I'm seeing a few related reports stating the issues similar to yours: http://comments.gmane.org/gmane.org.google.gwt/39286 and http://comments.gmane.org/gmane.org.google.gwt/43526... – Alexander Pavlov May 07 '12 at 15:48
  • Found [an explanation for your question on SO](http://stackoverflow.com/questions/3290424/set-a-cookie-to-never-expire). Basically, it is impossible to create a non-expiring cookie according to the spec (that's why I failed to derive it from the spec basics on Wikipedia :))... – Alexander Pavlov May 07 '12 at 15:52
  • I'm not setting the cookie to never expire, I'm setting the cookie to expire immediately (invalidate it). `Cookies.removeCookie` had no effect whatsoever when I ran it (I assume because I set the domain and path when setting it). I looked around and saw places recommending to set the expiry time in the past and the browser would remove it immediately. – Daenyth May 07 '12 at 16:01
  • Eh, forgot what the original question was... :( So, what if you try passing in, say, `now - 24 * 60 * 60 * 1000` milliseconds as the expiry time, rather than `0`? – Alexander Pavlov May 08 '12 at 07:16