1

I'm setting a "SESSION" cookie via JS: 

var d = new Date();
d.setTime(d.getTime() + (2*24*60*60*1000));
var expires = "expires="+ d.toUTCString();
document.cookie = cookie.name + "=" + cookie.value +";"+ expires + "; 
path="+cookie.path+";domain="+data.shared_domain+";";

Then I'm deleting the cookie by making it expire, via JS: 

document.cookie = "SESSION=; expires=Thu, 01 Jan 1971 00:00:01 UTC; path=/;domain="+domain;

After doing this, console.log(document.cookie) will return all other cookies except this one, which is what I would expect.

On the other hand, I am doing session checks via PHP, trying to read the cookie by doing $_COOKIE["SESSION"].

isset($_COOKIE["SESSION"]) will return true, and I can read the old value of the cookie. No matter how many times I refresh the page, it still reads it.

Am I misunderstanding how cookies work? Is there another way to check if a cookie has expired in PHP?

Update: Yes, the problem is that the cookie has an HttpOnly flag.

So now I'm trying to delete it via PHP. Based on this other question, I do:

setcookie("SESSION", "", time()-3600);
if (isset($_COOKIE['SESSION'])) unset($_COOKIE['SESSION']);

When I'm done, I check that it's gone with a quick var_dump($_COOKIE), and yes, it is nowhere to be seen.

Except that Chrome still sees it (expired in 1969), and when I navigate to another part of the site, checking for that cookie will return a value.

I will add one extra piece of information, in case it makes a difference: This cookie is shared by sub.domain.com and app.sub.domain.com. When I set it, I set it for .domain.com. And I unset it for .domain.com as well.

How can I get rid of that cookie for good?

Victoria Ruiz
  • 4,913
  • 3
  • 23
  • 40
  • 2
    since you tagged as php, use error reporting and check your console for the JS stuff. There is no php here though. – Funk Forty Niner Oct 11 '18 at 15:12
  • 1
    $_COOKIE["SESSION"] is PHP, and a var_dump() of it will return the expired session cookie's value. – Victoria Ruiz Oct 11 '18 at 15:13
  • I've been reading this over a few times and after the edit and I can't wrap my head around it. Have a look at [this answer](https://stackoverflow.com/a/34768196/1415724) see if that helps. As well as checking if the cookie equals to something in your JS/PHP. However you stated *"isset($_COOKIE["SESSION"]) will return true"*. It's unclear how you're using that and if it's in a conditional statement or not. If not, then what you posted and possibly using will always return true. See [this Q&A](https://stackoverflow.com/q/5859333/1415724) also. – Funk Forty Niner Oct 11 '18 at 15:41

1 Answers1

1

It's not clear how you're creating the cookie in the first place; I assume using PHP's session handler, but you haven't specified.

Either way, it is likely being generated with cookie security settings that limit access to it from the JavaScript. This setting is called httpOnly and is typically used on session cookies and other similar cookie data that is intended for use only by the server-side code.

If this cookie setting has been set (and any good session handler will have set it), then you simply won't be able to set or unset this cookie from the browser; you will have to do it from your PHP code.

For more info on this topic, see this wikipedia article: https://en.wikipedia.org/wiki/Secure_cookie

Spudley
  • 166,037
  • 39
  • 233
  • 307
  • Yes, the problem is actually that flag! Thank you! I'm writing an update, because I'm still having problems even via PHP. – Victoria Ruiz Oct 11 '18 at 16:52
  • Responding to your update: If this is the PHP session cookie, why are you not using PHP's session functions to kill it? A simple call to [`session_destroy()`](http://php.net/manual/en/function.session-destroy.php) should do the trick. (And if you're using some other session handler via a framework, it will probably have a similar feature) – Spudley Oct 11 '18 at 19:48