I create a cookie within a subdomain (new.domain.com), however I need to clear this cookie on another sub-domain, as this is simply a login token which needs to be accessible across multiple sub-domains.
document.cookie = 'token=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.domain.com';
However the above code simply won't delete this cookie, which is being ran from lets say (old.domain.com).
A cookie cannot be deleted with client side code when HttpOnly flag is used.
Quoting from docs:
Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
So in order to be able to remove it, the aforementioned flag should not be set when the cookie is created.
Related
What is the difference between deleting cookies via the browser e.g. by using this little menu in Edge :
and setting max age to -1 via Javascript, e.g. with code like this :
document.cookie = "MyCookie=; max-age=-1; path=/;domain=mydomain.com"
The context : I'm using some internal service in a company which should log a user out, but it requires me to remove cookies first. When using the former method (manual removal) it works, when using Javascript it doesn't. I've tried various combinations of paths, domains, max-age or expiration dates.
Deleting cookie from browser via settings or Dev tools will remove all cookies (including "HTTP only" cookie), while document.cookie cannot delete "HTTP only" cookies.
If a cookie is set with "HTTP Only" flag, it cannot be accessed by JavaScript. In your case, Your session cookie might have "HTTP only" flag, that's why its not getting deleted when you are trying to delete it with document.cookie.
You can view this from your browser Dev tools (while you are logged in). To remove HTTP only cookie, you can update its value and expiry via HTTP response (similar to how you set the cookie at first place)
Set-Cookie: MyCookie=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
I am using following code to delete a cookie:
document.cookie = "CookieName=; expires=Thu, 01 Jan 1970 00:00:00 UTC";
There are two cookies, one in on domain www.websiteaddress.com and other is on .websiteaddress.com.
When I am on page www.websiteaddress.com the cookie having domain address www.websiteaddress.com gets deleted but other one is not deleted. How can I delete both cookies while loading javascript on www.websiteaddress.com
You are not allowed to delete cookies on another site. Because there is no guarantee that you own both www.websiteaddress.com and .websiteaddress.com. You can only delete cookies that you set for the current domain.
I have domain.com, sub1.domain.com and sub2.domain.com. From a site of sub1.domain.com i call a script to set cookie on domain.com like this
document.cookie = "KEY=Value; domain=.domain.com; path=/; expires=Thu, 01 Jan 2013 00:00:01 GMT";
I check browser an see that cookie. Look good. After that I go to sub2.domain.com to modify or delete the cookie I've created.
document.cookie = "KEY=Deleted; domain=.domain.com; path=/; expires=Thu, 01 Jan 1990 00:00:01 GMT";
But no luck, Cookies are still there, value remain. What should I do to remove root cookie from subdomain?
EDIT:
To make it clear: I use citrix single sign on to authenticate on both domain. we just have to login to .domain.com and citric will authenticate the rest. But the problem is it does not have sign out mechaniz so I have decide to clear cookies. It work when i clear it with browser plugins. But when it come to code (javascript) it won't work. Does anyone know this
Ok I know the problem! Thoese cookie are httponly cookie, that mean we cannot access via javascript. I have to modified them on server side
HttpCookie expiredCookie = new HttpCookie("CookieName");
expiredCookie.Expires = DateTime.UtcNow.AddDays(-1);
expiredCookie.Path = "/";
expiredCookie.Domain = ".domain.com";
Response.Cookies.Add(expiredCookie);
If i set a cookie using the code
var a = 'jn=900; expires=Fri, 27 Jul 2013 02:47:11 UTC; path=/';
document.cookie = a;
Then it is sure that document.cookie = 'jn=900; expires=Fri, 27 Jul 1999 02:47:11 UTC; path=/'; will delete the cookie.
Is it necessary to set all the properties used to set the cookie for deleting the cookie?
Ie. whether document.cookie = 'jn=900; expires=Fri, 27 Jul 1999 02:47:11 UTC;' is enough for deleting the cookie shown above, or should I also specify the path as used to set the cookie?
Assume that the cookie is accessible in the page I'm deleting the cookie.
Also is it possible to delete a cookie set by PHP using Javascript?
It is a good practice to set the path to avoid issues like cookies set by mistake on a different domain (www.domain.com instead of domain.com).
Regarding the second question, the answer is yes, you can use Javascript to access and delete cookies created by PHP if they are not marked as HttpOnly.
The HttpOnly attribute directs browsers to use cookies via the HTTP protocol only. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique[27]). As shown in previous examples, both Facebook and Google use the HttpOnly attribute extensively.
http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie
document.cookie is empty, however there are some cookies on this site
I try to clean cookie from http://ya.ru (firebug show some cookies on this site) but document.cookie is empty
Why?
The cookies being set on ya.ru are invalid. From the headers:
Set-Cookie:S=; path=/; expires=Thu, 12-Apr-2001 18:01:31 GMT
S=; domain=.ya.ru; path=/; expires=Thu, 12-Apr-2001 18:01:31 GMT
That means that the cookie S is being set to blank (and once on a potentially invalid domain .ya.ru)
and from kiss.ya.ru:
Cookie:yandexuid=740707471300761151; fuid01=4d880a3f046a3adb.XAGDFwCcblJ88BiI0-dizIwYqqeFGNCvuzmuswZQjSzBOiQsoOPEvCh0rUsbgtkecV63gqRK6ya5qdTjR-LlwdBAsop6Em9vXP6vlBLZgLZQolx7uVPD4Qw_PPWCapoE
yandexuid=740707471300761151; fuid01=4d880a3f046a3adb.XAGDFwCcblJ88BiI0-dizIwYqqeFGNCvuzmuswZQjSzBOiQsoOPEvCh0rUsbgtkecV63gqRK6ya5qdTjR-LlwdBAsop6Em9vXP6vlBLZgLZQolx7uVPD4Qw_PPWCapoE
Since the site is running on ya.ru, you can't read the kiss.ya.ru cookies due to security issues.
Probably a security thing. If the Javascript has been load from a host or path different than the one set for the cookie, the cookie's invisible.