How do I delete a cookie from a specific domain using Javascript?

Question

Let's say I am at http://www.example.com and I want to delete a cookie whose domain is .example.com and another one whose domain is www.example.com.

I am currently using this generic function :

var deleteCookie = function (name)
{
  document.cookie = name + '=; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
};

which only seems to be removing cookies whose domain is www.example.com.

But how can I specify so that it also removes cookies whose domain is .example.com ?

EDIT : Basically I'm looking for a function that can delete all cookies related to http://www.example.com as long as they don't have the httponly flag. Is there such a function?

possible duplicate of [Clearing all cookies with JavaScript](http://stackoverflow.com/questions/179355/clearing-all-cookies-with-javascript) — Álvaro González, Jan 23 '14 at 12:34
Does this answer your question? [How to delete a cookie?](https://stackoverflow.com/questions/2144386/how-to-delete-a-cookie) — Liam, May 10 '22 at 12:46

score 18 · Answer 1 · answered Aug 21 '13 at 21:16

You could do this only if you were at http://example.com and wanted to delete http://blah.example.com cookie. It wouldn't work from www.example.com either - only the "base" domain can delete subdomain cookies.

There are also "all-subdomain" cookies, which start with a ., and can also only be deleted by the base domain.

From the base domain, this should work to delete it:

document.cookie = 'my_cookie=; path=/; domain=.example.com; expires=' + new Date(0).toUTCString();

Or using the excellent jquery.cookie plugin:

$.cookie('my_cookie',null, {domain:'.example.com'})

"only the "base" domain can delete subdomain cookies." was the crucial hint for me. — kklepper, Nov 02 '20 at 09:29

score 11 · Answer 2 · edited May 27 '16 at 13:30

11

For security, you're not allowed to edit (or delete) a cookie on another site. Since there's no guarantee that you own both foo.domain.com and bar.domain.com, you won't be allowed to edit the cookies of foo.domain.com from bar.domain.com and vice versa.

Consider if you were allowed to do that and went to a malicious site, then back to your bank where you were about to deposit a cheque into your bank account. But while being on the malicious site, they updated your bank cookie with their own bank information. Now, suddenly, the cheque would be deposited into the malicious site's owner's bank account.

edited May 27 '16 at 13:30

G.Ani

93
5

answered Jul 21 '13 at 21:15

kba

19,333
5
62
89

Yes I can. I've just opened up my Chrome console on yahoo.com and I called the function of my original post which deleted a cookie set in www.yahoo.com. However I can't seem to be able to delete .yahoo.com cookies. I'm looking for a function that can do that by specifying the domain from which to delete the cookie. – The Random Guy Jul 28 '13 at 16:58
2

@TheRandomGuy The Chrome console isn't working under the same restrictions as the code executed from a website. On the website `foo.domain.com` you won't be able to edit the cookie on `bar.domain.com`. See [other](http://stackoverflow.com/questions/117240/is-it-possible-to-delete-subdomain-cookies) [similar](http://stackoverflow.com/questions/6525484/deleting-cookies-in-other-subdomains) [questions](http://stackoverflow.com/questions/3923285/how-to-remove-main-domain-cookie-from-sub-domain) if you aren't convinced. – kba Jul 28 '13 at 22:31
I am not looking at deleting cookies from a domain where my script will not be firing on. My script will be loaded on e.g. www.someurl.com and I want my script to delete the maximum number of cookies possible from www.someurl.com and .someurl.com – The Random Guy Jul 29 '13 at 18:39
1

@TheRandomGuy did you find a solution? – user3808307 Jun 11 '19 at 03:01

Markus Knappen Johansson · Answer 3 · 2021-12-22T22:34:26.330

2

Just wanted to add to this reg. deleting top-level cookies from sub domains.

I was surfing "mysub.mysite.se" with the following script inside a referenced js-file (mysub.mysite.se/file.js).

This code did remove the _fbp cookie with domain ".mysite.se".

document.cookie = '_fbp=;expires=Thu, 01 Jan 2010 00:00:00 UTC; path=/; domain=.mysite.se';
document.cookie = '_fbp=;expires=Thu, 01 Jan 2010 00:00:00 UTC; path=/; domain=www.mysite.se';
document.cookie ='_fbp=;expires=Thu, 01 Jan 2010 00:00:00 UTC; path=/; domain=mysite.se';

So what @kba is saying is not 100% right, but this is the case when you try to remove a cookie on a 3rd party domain.

edited Dec 22 '21 at 22:34

answered Apr 14 '21 at 23:37

Markus Knappen Johansson

1,461
17
19

1

I also found it odd that there is no guarantee one own subdomain.domain.com even if they own .domain.com. Your code worked for me. I want to delete a top level cookie from a subdomain. Adding domain=.domain.com did the trick. – Francisco Luz Nov 24 '21 at 08:03

Werthis · Answer 4 · 2023-06-22T12:27:29.503

1

If you are using 'universal-cookie', you can just use remove() function check here.

cookies.remove('my_cookie', { domain: window.location.hostname}); - this domain

cookies.remove('my_cookie', { domain: '.example.com' }); - any other damain

edited Jun 22 '23 at 12:27

answered Jun 22 '23 at 12:11

Werthis

557
3
15

user3198259 · Answer 5 · 2019-05-08T12:18:27.687

-2

We need to set the cookie for delete them.

Example:

this.cookieService.set(cookiename, '', new Date('Thu, 01 Jan 1970 00:00:01 GMT'));

Please refer below Git location for more details. https://github.com/7leads/ngx-cookie-service/issues/5 https://github.com/angular/angular/issues/9954

edited May 08 '19 at 12:18

answered May 07 '19 at 08:21

user3198259

178
3
13

2

Maybe you should specify where does this cookieService come from? – Laxmikant Dange Feb 17 '21 at 02:40

How do I delete a cookie from a specific domain using Javascript?

5 Answers5

Linked