I have a button to give users the option to accept cookies, and another for them to revoke the cookies.
I am using the Cookie Notice for GDPR plugin by dFactory and Google Analytics Dashboard Plugin for WordPress by MonsterInsights.
I am using Facebook Pixel via a Google Tag Manager script on my website.
When the revoke button is clicked I revoke the cookies and reload the page. All my cookies delete successfully, but when I try to revoke the _fbp cookie it persists.
Name: _fbp
Value: fb.1.1562101432060.130183292
Domain: .upperroombooks.com
Path: /
Expires/Max-Age: 2019-09-30T21:03:52.000Z
Size: 32
HTTP:
Secure:
SameSite:
I am using the following code to attempt to delete the cookie:
document.cookie = '_fbp' + '=; Path=/; Domain=.upperroom.org; Expires=Thu, 01 Jan 1970 00:00:01 GMT;';
(Again, this method works for the other cookies.)
Funny enough, when I enter this code in the dev tools console it deletes the cookie as expected.
The domain of the _fbp cookie is:
Domain: .upperroombooks.com
When you're deleting the cookie, the domain you're trying to use is:
Domain= .upperroom.org
There may be an invalid domain warning in your console alluding to this.
If you correctly set (or remove) the Domain, it should work without issue.
I don't expect this will help the OP over 2 years on but it might help someone.
Related
What is the difference between deleting cookies via the browser e.g. by using this little menu in Edge :
and setting max age to -1 via Javascript, e.g. with code like this :
document.cookie = "MyCookie=; max-age=-1; path=/;domain=mydomain.com"
The context : I'm using some internal service in a company which should log a user out, but it requires me to remove cookies first. When using the former method (manual removal) it works, when using Javascript it doesn't. I've tried various combinations of paths, domains, max-age or expiration dates.
Deleting cookie from browser via settings or Dev tools will remove all cookies (including "HTTP only" cookie), while document.cookie cannot delete "HTTP only" cookies.
If a cookie is set with "HTTP Only" flag, it cannot be accessed by JavaScript. In your case, Your session cookie might have "HTTP only" flag, that's why its not getting deleted when you are trying to delete it with document.cookie.
You can view this from your browser Dev tools (while you are logged in). To remove HTTP only cookie, you can update its value and expiry via HTTP response (similar to how you set the cookie at first place)
Set-Cookie: MyCookie=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
I want to create a cookie that will not be sent to the server due to some legacy code in our app that cleared the content of the cookies upon login. To accomplish that I want to set the path of the cookie to something arbitrary.
I'm trying to set a cookie is JS using the following code:
document.cookie = "test=this is a test; Domain=mydomain.com; Path=/localcookie; Expires=Mon, 05 Apr 2021 21:02:42 GMT"
This line works fine in Firefox but is being ignored in Chrome (v80). If I remove the Path parameters or set it to "/" the cookie is created but not with the path I want.
Is this a a limitation in Chrome, a security thing, a bug or I'm doing something wrong?
I create a cookie within a subdomain (new.domain.com), however I need to clear this cookie on another sub-domain, as this is simply a login token which needs to be accessible across multiple sub-domains.
document.cookie = 'token=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.domain.com';
However the above code simply won't delete this cookie, which is being ran from lets say (old.domain.com).
A cookie cannot be deleted with client side code when HttpOnly flag is used.
Quoting from docs:
Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
So in order to be able to remove it, the aforementioned flag should not be set when the cookie is created.
For one of my projects I had the following paths available in a web application:
/one
/one/two
/one/two/three
Each of the different paths are variable and used cookies as part of their variability, I had created the following cookies:
one=1; Max-Age=9600; Domain=.test.test.com; Path=/one; Expires=Wed, 30 Jul 2014 20:26:09 GMT
two=2; Max-Age=9600; Domain=.test.test.com; Path=/one/two; Expires=Wed, 30 Jul 2014 20:26:09 GMT
three=3; Max-Age=9600; Domain=.test.test.com; Path=/one/two/three; Expires=Wed, 30 Jul 2014 20:26:09 GMT
When accessing the URL (I was running my test on http://test.test.com setup in my hosts file) at the following locations I received the following results:
Visit http://test.test.com/one the correct cookie (one=1) was sent to the server, but document.cookie was empty.
Visit http://test.test.com/one/ the correct cookie (one=1) was sent to the server and document.cookie also had the correct cookie (one=1).
Visit http://test.test.com/one/two the correct cookies (one=1 and two=2) were sent to the server, but document.cookie only contained the first cookie (one=1).
Visit http://test.test.com/one/two/ the correct cookies (one=1 and two=2) were sent to the server and document.cookie also had the correct cookies (one=1 and two=2).
Visit http://test.test.com/one/two/three the correct cookies (one=1, two=2, and three=3) were sent to the server, but document.cookie only contained the first two cookies (one=1, two=2).
Visit http://test.test.com/one/two/three/ the correct cookies (one=1, two=2, and three=3) were sent to the server and document.cookie also had the correct cookies (one=1, two=2, and three=3).
This utterly confounded me, and through a bunch of testing I was only able to find Internet Explorer being impacted by this issue, please see the answer for additional details.
Due to the constraints of my project I needed to have the ability to keep cookie names the same at each of these paths and also vary them by path, so I wasn't able to come up with any solution for my situation where I could use cookies without requiring a trailing slash at the end (which due to my constraints I cannot do).
If you are running into a similar issue there's a couple things that I can think of doing:
If the name of your cookies can vary, you could use different names for each of the paths and keep the path either at the root (path=/)
If the name of your cookies cannot vary but it doesn't matter if they go up a level in the path you could do that (in my case the cookie three=3 could be placed up one directory at path=/one/two if my constraints didn't prohibit me from doing that.
If your constraints don't prohibit you from requiring trailing slashes you could simply have your webserver enforce trailing slashes and redirect to a path with them when they aren't present.
If you run into the same issue with similar constraints to mine you could just move to another storage device instead of cookies. There's other modern pieces such as localStorage and sessionStorage which would allow you to store your data in a more structured way so that you can handle the logic. Note: This only works when you don't need the data from the cookie server side.
In the end what I ended up doing was moving the cookie that I didn't need server side (three=3) to use a convention instead of configuration via cookie within the project and kept the other ones as is since the other two cookies (one=1 and two=2) are only used when visiting the path http://test.test.com/one/two/three and so they are still available through document.cookie in Internet Explorer.
I am trying to write PHP code to delete all of the user cookies on my domain.
Here is what I got:
<?php
$domain = 'www.example.com';
$deleteExpiration = time() - 60*60*24*365*10; // 10 years ago
foreach (array_keys($_COOKIE) as $cookie) {
setcookie($cookie, 0, $deleteExpiration, '/', $domain);
}
Running this code on http://www.example.com/delete_cookies.php deletes all cookies that were set on the server, but not cookies that were set in JavaScript.
I verified using the Firefox Cookies dialog that the problematic cookies are indeed from (path=/; domain=www.example.com). Using Live HTTP headers, I can see that the following header is sent:
Set-Cookie: CookieName=0; expires=Fri, 12-Mar-1999 19:36:15 GMT; path=/; domain=www.example.com
So I believe the setcookie command is working as expected. Firefox is just not honoring the request.
One additional thing that I noticed is that if I set a cookie with domain=www.example.com on the server, then it is listed in the Firefox cookie dialog with domain=".www.example.com", but if I set the following cookie using JavaScript code then the leading dot is not added.
What am I doing wrong? How can I delete these cookies?
I've had a similar issue and it was solved by just not passing the domain.
setcookie($cookie, '', 1, '/');
On a side note from cookie_spec "Setting the path to a higher-level value does not override other more specific path mappings. If there are multiple matches for a given cookie name, but with separate paths, all the matching cookies will be sent." So if you have same name cookies at different path locations you will have to delete each one.