1

I'm using facebook to authenticate users at my website. I need to delete facebook cookie on logout from serverside with C#. could you please show me how to do it? tested and working example

Aleca
  • 11
  • 2
  • What framework are you using server-side? ASP.NET? – Cameron Mar 05 '11 at 04:38
  • 2
    You can't. You can only politely ask the users' browser to delete it. But the cookie is ultimately stored on the user's computer which you have no control over. If the user makes their cookie file readonly, your website isn't going to be making any changes, even if the browser is cooperative. – Ben Voigt Mar 05 '11 at 04:54
  • @Ben: Good point, but most people don't make their cookie file readonly ;-) – Cameron Mar 05 '11 at 05:01
  • @Cameron: True, but a readonly cookie file is just one example of many ways the client can disregard a request from the server. Many browsers (and application firewalls) can be configured to reject cookies from sites on a blacklist (or those not on a whitelist). And most browsers default to preventing cross-domain cookie access, which is probably what's going on here. – Ben Voigt Mar 05 '11 at 05:06
  • possible duplicate of [delete facebook session cookie from my application on users logout](http://stackoverflow.com/questions/4265844/delete-facebook-session-cookie-from-my-application-on-users-logout) – Ben Voigt Mar 05 '11 at 05:07

2 Answers2

2

Assuming you know the name of the cookie, you can set it's expiry date to some time in the past. When the browser receives the cookie, it will see that it's expired and delete it.

If you're using a System.Web.HttpCookieCollection, this MSDN article has example code which demonstrates this (example adapted from that on MSDN):

if (Request.Cookies["NameOfFacebookCookie"] != null) {
    HttpCookie myCookie = new HttpCookie("NameOfFacebookCookie");
    myCookie.Expires = DateTime.Now.AddDays(-1d);
    Response.Cookies.Add(myCookie);
}

Since you're authenticating users through Facebook, I'm assuming you're using OAuth. In this case, you don't know the name of the cookie, and in any case it isn't your cookie, it's set by facebook.com during the login process. To log off a user who's signed in via Facebook, see this answer.

Community
  • 1
  • 1
Cameron
  • 96,106
  • 25
  • 196
  • 225
  • +1 for sample and details. Also it still may not be the answer Aleca is looking for if the goal is to delete cookies from Facebook.com domain. – Alexei Levenkov Mar 05 '11 at 07:11
  • @Alexei: Right, but there really is no way to delete cookies from the facebook.com domain except by asking Facebook to do so (because of the [same origin policy](http://en.wikipedia.org/wiki/Same_origin_policy)) – Cameron Mar 05 '11 at 18:49
0

I don't understand why I can't "comment" when, but whatever; to add to the discussion between Alexei and Cameron above, the assumption there is that the cookie is controlled by Facebook. If you used the Javascript SDK, then yes, Cameron's comment is true. However, if instead you created a manual login flow (no SDK) so that you could server-side handle the login, then you likely created your own cookie to save the retrieved access_token, and of course, you could delete that.

Chris
  • 154
  • 1
  • 9