3

I use cookies to implement 'remember me' option for login at my web. Setting the cookie works OK. Unsetting used to work. Then I made a new version of the site, with httponly cookies; logout worked on localhost, but it doesn't work on the server. I run the new code in directory "test"; I still can use the old code, which runs well for cookies set in the old login function (not the new one).

Just in case it might be important, and to prove I don't have any common issues solved in answers for related questions like uncorrect parameters, testing on the same page, headers already sent or relative time while unsetting the cookies, I show my codes. First, the code setting the cookies (new ones):

...
setcookie ('login', $login, time()+60*60*24*30,'/','e-history.cz', false, true);
setcookie ('pass', $pass, time()+60*60*24*30,'/','e-history.cz', false, true);
...

My logout script:

<?php
  include 'login_functions.php'; 
  logout(); 
?>

And the logout function:

  function logout() { 
    include 'library.php';  //all functions and constants

    //var_dump( headers_sent() );  //I've tested the headers, not sent yet

    checkSession();  //starts session if not started
    unset($_SESSION['login']);  //I don't need to delete the rest of the session for logout

    if(isset($_COOKIE['login']))  {
      setcookie ('login', '', 1,'/','e-history.cz', false, true);
    }   
    if(isset($_COOKIE['pass']))  {
      setcookie ('pass', '', 1,'/','e-history.cz', false, true);
    }

    header('Location:index.php'); 
  }

I've tested the headers - they work OK. The response headers (according to HTTP Spy extension for Chrome) include following:

Set-Cookie  pass=deleted;
expires=Thu, 01-Jan-1970 00:00:01 GMT;
path=/;
domain=e-history.cz;
httponly
Set-Cookie  login=deleted;
expires=Thu, 01-Jan-1970 00:00:01 GMT;
path=/;
domain=e-history.cz;
httponly

EDIT - I make my former "answer" part of question, because it worked only for some time; I don't know why it doesn't work now. I switched few times between non-httponly, httponly and mixed cookies; each time I deleted old cookies before creating new ones and took care not to mismatch them. Anyway, httponly doesn't seem to make a difference.

I have found a similar question saying that unsetting the httponly cookie is not possible without server interaction. Theoretically, it shouldn't be a problem, as I use php, which works server-side. However, it's not so easy in practice. But there's a solution, suggested in its answer: to make one of the cookies with and the other without httponly property. I was afraid that having the old value in the password cookie would collide with login as another user, but I tested it and it works fine, the new user's password just overwrites the old user's one.

Community
  • 1
  • 1
Pavel V.
  • 2,653
  • 10
  • 43
  • 74

1 Answers1

0

The problem wasn't in httponly and not even in any other problem I linked, but in the domain - on the "main" domain (e-history.cz) the "domain" cookie property is automatically prefixed by a dot. On the test subdirectory (e-history.cz/test) this didn't happen. The result was that I could delete cookies produced by the main domain, even if the test domain worked with httponly cookies, but I couldn't delete the cookies from test subdir. I added the dot to the domain explicitely and now everything works fine. Using same cookies for main and test domain seems not to be a problem now - if it was a problem, I would remove the dot completely (by setting null or '' to invoke the default, instead of the set domain).

Pavel V.
  • 2,653
  • 10
  • 43
  • 74