I am using following code to delete a cookie:
document.cookie = "CookieName=; expires=Thu, 01 Jan 1970 00:00:00 UTC";
There are two cookies, one in on domain www.websiteaddress.com and other is on .websiteaddress.com.
When I am on page www.websiteaddress.com the cookie having domain address www.websiteaddress.com gets deleted but other one is not deleted. How can I delete both cookies while loading javascript on www.websiteaddress.com
You are not allowed to delete cookies on another site. Because there is no guarantee that you own both www.websiteaddress.com and .websiteaddress.com. You can only delete cookies that you set for the current domain.
Related
I create a cookie within a subdomain (new.domain.com), however I need to clear this cookie on another sub-domain, as this is simply a login token which needs to be accessible across multiple sub-domains.
document.cookie = 'token=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.domain.com';
However the above code simply won't delete this cookie, which is being ran from lets say (old.domain.com).
A cookie cannot be deleted with client side code when HttpOnly flag is used.
Quoting from docs:
Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
So in order to be able to remove it, the aforementioned flag should not be set when the cookie is created.
I am trying both in javascript and in php to set cookies that will work cross-domain.
In PHP:
ini_set('session.cookie_domain', '.example.com' );
session_set_cookie_params(60*60,"/",".example.com",false,false);
In JavaScript:
document.cookie = 'coo=21c4o2fnb2et aqj256; expires=Sun Feb 01 2015 23:40:16 GMT-0500 (EST); path=/;Domain=.example.com;'
In .htaccess:
php_value session.cookie_domain .example.com
In php.ini:
session.cookie_domain = ".example.com"
In the PHP response, I get:
PHPSESSID=togp8kh3ehst2iuf4t3egll7p0; expires=Sun, 02-Nov-2014 04:43:25 GMT; path=/; domain=.example.com
So, the php response looks good to me, but the browser stores no cookies, for both the javascript and the php. Cookies do work on a single subdomain, but this site is now requesting cookie-required data from a different subdomain, so I'd like to get the cookies to work for the entire domain.
I think this answer your (duplicated) question:
Share cookie between subdomain and domain
The trick is on the setting the cookie with the higher domain possible, which would be example.com, not .example.com (which is not even valid)
I have domain.com, sub1.domain.com and sub2.domain.com. From a site of sub1.domain.com i call a script to set cookie on domain.com like this
document.cookie = "KEY=Value; domain=.domain.com; path=/; expires=Thu, 01 Jan 2013 00:00:01 GMT";
I check browser an see that cookie. Look good. After that I go to sub2.domain.com to modify or delete the cookie I've created.
document.cookie = "KEY=Deleted; domain=.domain.com; path=/; expires=Thu, 01 Jan 1990 00:00:01 GMT";
But no luck, Cookies are still there, value remain. What should I do to remove root cookie from subdomain?
EDIT:
To make it clear: I use citrix single sign on to authenticate on both domain. we just have to login to .domain.com and citric will authenticate the rest. But the problem is it does not have sign out mechaniz so I have decide to clear cookies. It work when i clear it with browser plugins. But when it come to code (javascript) it won't work. Does anyone know this
Ok I know the problem! Thoese cookie are httponly cookie, that mean we cannot access via javascript. I have to modified them on server side
HttpCookie expiredCookie = new HttpCookie("CookieName");
expiredCookie.Expires = DateTime.UtcNow.AddDays(-1);
expiredCookie.Path = "/";
expiredCookie.Domain = ".domain.com";
Response.Cookies.Add(expiredCookie);
If i set a cookie using the code
var a = 'jn=900; expires=Fri, 27 Jul 2013 02:47:11 UTC; path=/';
document.cookie = a;
Then it is sure that document.cookie = 'jn=900; expires=Fri, 27 Jul 1999 02:47:11 UTC; path=/'; will delete the cookie.
Is it necessary to set all the properties used to set the cookie for deleting the cookie?
Ie. whether document.cookie = 'jn=900; expires=Fri, 27 Jul 1999 02:47:11 UTC;' is enough for deleting the cookie shown above, or should I also specify the path as used to set the cookie?
Assume that the cookie is accessible in the page I'm deleting the cookie.
Also is it possible to delete a cookie set by PHP using Javascript?
It is a good practice to set the path to avoid issues like cookies set by mistake on a different domain (www.domain.com instead of domain.com).
Regarding the second question, the answer is yes, you can use Javascript to access and delete cookies created by PHP if they are not marked as HttpOnly.
The HttpOnly attribute directs browsers to use cookies via the HTTP protocol only. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique[27]). As shown in previous examples, both Facebook and Google use the HttpOnly attribute extensively.
http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie
document.cookie is empty, however there are some cookies on this site
I try to clean cookie from http://ya.ru (firebug show some cookies on this site) but document.cookie is empty
Why?
The cookies being set on ya.ru are invalid. From the headers:
Set-Cookie:S=; path=/; expires=Thu, 12-Apr-2001 18:01:31 GMT
S=; domain=.ya.ru; path=/; expires=Thu, 12-Apr-2001 18:01:31 GMT
That means that the cookie S is being set to blank (and once on a potentially invalid domain .ya.ru)
and from kiss.ya.ru:
Cookie:yandexuid=740707471300761151; fuid01=4d880a3f046a3adb.XAGDFwCcblJ88BiI0-dizIwYqqeFGNCvuzmuswZQjSzBOiQsoOPEvCh0rUsbgtkecV63gqRK6ya5qdTjR-LlwdBAsop6Em9vXP6vlBLZgLZQolx7uVPD4Qw_PPWCapoE
yandexuid=740707471300761151; fuid01=4d880a3f046a3adb.XAGDFwCcblJ88BiI0-dizIwYqqeFGNCvuzmuswZQjSzBOiQsoOPEvCh0rUsbgtkecV63gqRK6ya5qdTjR-LlwdBAsop6Em9vXP6vlBLZgLZQolx7uVPD4Qw_PPWCapoE
Since the site is running on ya.ru, you can't read the kiss.ya.ru cookies due to security issues.
Probably a security thing. If the Javascript has been load from a host or path different than the one set for the cookie, the cookie's invisible.