1

I'm working in a java web application that should not allow a user to open it in 2 different tabs, and I'm using session cookies for that. It seems to work fine in most scenarios, but the problem is that the cookies are not cleared when the browsers exits. This is how I set the cookies: 

String sCookie = "mycookie=true;Path=/;Domain=.mydomain.com;HttpOnly";
        if (!response.containsHeader("Set-Cookie")) {
            response.setHeader("Set-Cookie", sCookie);
        } else {
            response.addHeader("Set-Cookie", sCookie);
        }

As I understand, if I don't specify the Expires field, the cookie should be deleted on browser close. This is how I validate if the cookie exists:

Cookie[] cookies = request.getCookies();
        for (Cookie cookie : cookies) {
            if ("mycookie".equals(cookie.getName()) && Boolean.valueOf(cookie.getValue())) {//some error}}

Is there any problem with this code? meaning, can I set the cookie with response.setHeader and then check it with request.getCookies()? Sometimes I have problems deleting the cookie manually and then when I restart the browser the problem continues.

This is how I manually delete the cookie (on tab close):

String sCookie = "mycookie=;Path=/;Domain=.mydomain.com;HttpOnly";
        if (!response.containsHeader("Set-Cookie")) {
            response.setHeader("Set-Cookie", sCookie);
        } else {
            response.addHeader("Set-Cookie", sCookie);
        }

Thanks in advance
UPDATE
This is how I create the cookie:

Cookie c = new Cookie("mycookie","true");
        c.setDomain(".mydomain.com");
        c.setPath("/");
        c.setValue("true");
        response.addCookie(c);


This is how I delete the cookie:

for (Cookie c : request.getCookies()) {
            if ("mycookie".equals(c.getName())) {
                c.setMaxAge(0);
                c.setValue("");
            }
        }


But still not working. Actually, now the cookie is not deleted when I close the tab (this was working fine in my previous version with "Set-Cookie" :S).Another detail is that I'm not seeing my cookie in the Resources tab of Chrome's developer tools

maxivis
  • 1,727
  • 3
  • 21
  • 35
  • Are You using Chrome by any chance? – Maurice Perry Apr 16 '15 at 15:22
  • Hi @MauricePerry, yes, I'm testing with Chrome, Internet Explorer 10 and Firefox – maxivis Apr 16 '15 at 15:25
  • Here is a post that might help: http://stackoverflow.com/questions/10617954/chrome-doesnt-delete-session-cookies – Maurice Perry Apr 16 '15 at 15:35
  • have you tried `c.setDomain("");` ? – Jordi Castilla Apr 16 '15 at 15:54
  • mmm should not be the same domain specified in the creation @JordiCastilla? – maxivis Apr 16 '15 at 15:56
  • i mean in the moment of "delete" the cookie, also, cookie not deleted when closing tab is normal in the [setMaxAge()](https://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/Cookie.html#setMaxAge%28int%29) *Returns the maximum age of the cookie, specified in seconds, By default, -1 indicating the cookie will persist until browser shutdown.* – Jordi Castilla Apr 16 '15 at 15:56
  • I'm starting to think that @MauricePerry is right, because I've made another test on Internet Explorer and worked "almost" fine (I just had to try a couple of times, but the cookies were deleted)... I'll make a little more test and research – maxivis Apr 16 '15 at 16:17

2 Answers2

1

As a general hint, you'd better use the response.addCookie(..) method and possibly use Cookie.setMaxAge(-1).

That said, that should be the default, so in order to understand the problem, you should use Firebug (or any browser developer tools) to inspect your cookies and check their max age. Before and after closing the browser. E.g. you may have some leftover cookie.

Bozho
  • 588,226
  • 146
  • 1,060
  • 1,140
  • Thanks @Bozho for your answer, I've already tried with the Cookie object but didn't work, that's why I've implemented with `response.setHeader`. Regarding the cookie, I can see it in Firebug and marked as Session (Expires/Max-age tab) – maxivis Apr 16 '15 at 14:30
1

Actually you should set the cookies in different way:

Cookie myCookie = new Cookie();  // create your cookie
// set path, and other attributes you need

// add the cookie to the response
response.addCookie(myCookie);

Then to make a Cookie expire: :

myCookie.setMaxAge(0);

Also, in order to clean completely:

myCookie.setValue("");
myCookie.setPath("/");

So, you have to get all the cookies in the request, identify your's and clean it with something like this: 

List<Cookie> cookies = request.getCookies();

for (Cookie cookie : cookies) {
    // identify your cookie
    if (identified) {
        cookie.setMaxAge(0);
        cookie.setValue("");
        cookie.setPath("/");
    }
}

If cookie.getName("Set-Cookie") does not match your Cookie, debug your code to see what name is assigned in the response.setHeader("Set-Cookie", sCookie);

Jordi Castilla
  • 26,609
  • 8
  • 70
  • 109
  • Thanks @JordiCastilla, as I mentioned to Bozho I've already tried with this setting, but didn't worked. Am I mixing the things with my code? I mean, besides your suggestion, is there any problem if I set with response.setHeader and check wih request.getCookies? – maxivis Apr 16 '15 at 14:32
  • That's how I'm checking the cookies @JordiCastilla, but apparently is not working fine. In some tests I got stacked and I cannot open a new tab, so if the cookies are really in the session the problem should be solved just restarting the browser, but it's not, I open again the browser and the cookies are still there – maxivis Apr 16 '15 at 14:38