6

I just tried setting (actually, deleting - via max age set to 0) a session cookie, when I detect a specific client error. The HTTP response I am using is from the 4xx category (e.g. 401, 406, etc).

The cookie deletion works fine with this kind of response generated on the server side:

            Response resp = Response.status(Response.Status.OK).header(
                "Set-Cookie",
                cookieName+"="+sessionId+"; "+
                "Version=1; Max-Age=0; Path=" + cookiePath + "; " +
                "Expires=Thu, 01 Jan 1970 00:00:00 GMT").entity("").build();

...but fails with this:

            Response resp = Response.status(Response.Status.UNAUTHORIZED).header(
                "Set-Cookie",
                cookieName+"="+sessionId+"; "+
                "Version=1; Max-Age=0; Path=" + cookiePath + "; " +
                "Expires=Thu, 01 Jan 1970 00:00:00 GMT").entity("").build();

(Only difference: 200 => 406).

Is it true that cookies can't be set with 4xx responses?

angularJsNewbie
  • 495
  • 2
  • 8
  • 14
  • Have you tested with multiple browsers? Have you checked in your browser's developer tools if the `Set-Cookie` header is really there? This might be also related to the implementation of the `Response` class. – lanzz Feb 04 '14 at 13:51

1 Answers1

13

RFC 6265 states that those cookies MUST be accepted:

Origin servers MAY send a Set-Cookie response header with any response. User agents MAY ignore Set-Cookie headers contained in responses with 100-level status codes but MUST process Set-Cookie headers contained in other responses (including responses with 400- and 500-level status codes). An origin server can include multiple Set-Cookie header fields in a single response. The presence of a Cookie or a Set-Cookie header field does not preclude HTTP caches from storing and reusing a response.

Mark Amery
  • 143,130
  • 81
  • 406
  • 459
lanzz
  • 42,060
  • 10
  • 89
  • 98