PHP Cookies Not Unsetting [Unusual Situation]

Question

I have a problem with some cookies not unsetting. I have had a look through this question but all the answers have not worked.

I have 13 cookies in total, which I need to clear to test occasionally. When I unset them using:

setcookie("name", "", time() - 3600, '/');

What makes this unusual, is that using the same code with a different name unsets 10 of 13 cookies, leaving 3 still set... All the cookies are created at the same time, and I am trying to unset them all at the same time. I have checked the cookie names which all match what is stored on my PC.

As stated, I have tried all the answers in the post linked above, but none have worked. The cookies are set and unset from within the same directory, just a different file of which permissions are the same level.

Any suggestions?

(Not sure if it matters, but I'm using Chrome on Mac)

Example: Setting cookies during login (I've dumbed it down to the 4 key cookies I need)

if($pass == 1) {
    setcookie('auth_code',$no_generator,$cookie_expire,'/');
    setcookie('username',$_POST['username'],$cookie_expire,'/');
    setcookie('admin',$admin,$cookie_expire,'/');
    setcookie('login_time',$date,$cookie_expire,'/');
    $_SESSION['logged_in'] = "true";
    header('Location: /logs.php');
}

Unsetting Cookies:

setcookie("admin", "", time() - 3600, '/');
setcookie("login_time", "", time() - 3600, '/');
setcookie("username", "", time() - 3600, '/');
setcookie("auth_code", "", time() - 3600, '/');

$cookie_expire is set to: $cookie_expire = time() + (21*365*24*60*60);.

Can you create an **[MCVE](https://stackoverflow.com/help/mcve)**? — Siguza, Jul 29 '15 at 16:57
Edited Question and all names have been double checked, even used an online comparison tool just in case. — Scott Thornton, Jul 29 '15 at 17:04
Also, all the code there is directly copied from the live files, so you can see the spelling of the names match etc.. — Scott Thornton, Jul 29 '15 at 17:06
@Kkinsey Nope, just added `date_default_timezone_set('Europe/London');` to the removal file, still won't remove the cookies.. — Scott Thornton, Jul 29 '15 at 17:07
@frz3993 Yes, that's correct. Except the "login_time", that unsets fine. — Scott Thornton, Jul 29 '15 at 17:07
And please check in chrome when you unset the cookies, the `can't be unset cookies` expiry date, do they change ? — frz3993, Jul 29 '15 at 17:08
@frz3993 Not sure how I would check... But, I use the same code, just different names for all my cookies, the others unset, so not sure why these wouldn't too.. — Scott Thornton, Jul 29 '15 at 17:10
Open the developer tools, click the Resources tab and in the left most pane choose to collapse the cookies and select the website. It should show all the cookies with expiry date if they are not session cookies. — frz3993, Jul 29 '15 at 17:21
are you sure that you are unsetting all cookies **before** sending any content to the client (except the response header of course) ? — Paolo, Jul 29 '15 at 17:29
I would suggest to install LiveHTTPHeaders (it's a plugin) on Firefox and look at the response header when the page that is supposed to unset the cookies is sent. — Paolo, Jul 29 '15 at 17:31
@frz3993 The file literally consists of php tags, a load of `setcookie("auth_code", "", time() - 3600, '/');` etc lines of code, and thats it... Nothing at all is sent to the browser, except a HTML link to my `check_cookies` page... Which is after all the PHP stuff.. — Scott Thornton, Jul 29 '15 at 17:31
*"The file literally consists of php tags"* that means that you open and close php code blocks with `` several times ? In that case you may inadvertitely be sending content (even a space) to the browser while unsetting cookies. In that case just begin the script with ` — Paolo, Jul 29 '15 at 17:37
I thought in somewhere in your application you have the cookies being set back after the unset. So when you set the cookie you will have the initial expiry time, when you run the unset php script the expiry time will change because it is being set again. If this is not the case, this is a weird behavior. — frz3993, Jul 29 '15 at 17:44
@frz3993 Nope, I manually run the cookie removal file as i don't want the users to be able to delete their cookies unintentionally. Although, I'm starting to believe more and more that i've messed up somewhere and potentially done something tiny that's causing the issue. Just another learning curve for me I guess! Thanks for all your help anyway, give me a shout if anything else comes to you! :) — Scott Thornton, Jul 29 '15 at 21:12

score 0 · Accepted Answer · answered Jul 29 '15 at 17:56

your code work well in my localhost. did you try set cookies name as array? i did a little modification for my local:

<?php
    $pass=$_GET['pass'];
    if($pass == 1) {
        $a='A';
        $cookie_expire = time() + (21*365*24*60*60);
    setcookie('coo[auth_code]',$a,$cookie_expire,'/');
    setcookie('coo[username]',$a,$cookie_expire,'/');
    setcookie('coo[admin]',$a,$cookie_expire,'/');
    setcookie('coo[login_time]',$a,$cookie_expire,'/');
    //$_SESSION['logged_in'] = "true";
    header('Location: ./log.php');
}

then unset using looping

foreach($_COOKIE['coo'] as $k=>$v){
    setcookie("coo[$k]", "", time() - 3600, '/');
}

Just in case,

Note from php.net

If the PHP directive register_globals is set to on then cookie values will also be made into variables. In our examples below,

$TestCookie will exist. It's recommended to use $_COOKIE.

I'm willing to try this one, but I'd like to understand more how it works (I'm relatively new to development..) For example, setting cookie names as arrays.. Is the only benefit that it would mean a single line to remove all cookies? Or are there other benefits? Also, the first line of your code `$pass=$_GET['pass']` - I'm not sure where this is set, or how it works. Could you explain? Thanks. — Scott Thornton, Jul 29 '15 at 21:10
about the arrays, it's just simplify if we have lots of cookie variables. And about the $_GET['pass'] and variable $a, it's just my example to try your code instead of creating new form using $_POST data. — JMozac, Jul 29 '15 at 23:48

PHP Cookies Not Unsetting [Unusual Situation]

1 Answers1