I trying to remove a cookie in a servlet with this code
Cookie minIdCookie = null;
for (Cookie c : req.getCookies()) {
if (c.getName().equals("iPlanetDirectoryPro")) {
minIdCookie = c;
break;
}
}
if (minIdCookie != null) {
minIdCookie.setMaxAge(0);
minIdCookie.setValue("");
minIdCookie.setPath("/");
res.addCookie(minIdCookie);
}
res.flushBuffer();
But this gives no effect and no change in the cookie properties.
I've also tried adding a cookie in this servlet and this works fine.
Why is it that I can not change the properties of an existing cookie.
Most of the time the problem is with path of the cookie. So take care that you specify the path when creating a cookie. And then use the same path while discarding a cookie. The concept of path is
to get more info of path and cookie relate properties you can visit here.
The problem was that the cookie I wanted to remove had a path that was "/admin" and my logout servlet had the path "/admin/logoutServlet". When I get the cookie from the request the path is set to null. So when I add the cookie the path is set to "/admin/" as my servletIf I created a cookie with the path "/admin/" the servlet was able to remove it.
I solved the problem by explisitly setting the path of the cookie before adding it to the response.
But I don't understand why the path is null.
You should not change the path. This would change the cookie identity. If the cookie were set for a path like
/foo
and you change this to/
, then the client won't associate the changed cookie with the original cookie anymore. A cookie is identified by the name and the path.Just setting maxage to 0 ought to be enough.
You also need to ensure that you're reading/testing the cookie in the subsequent new request, not in the current request.
I think it is better to be using
null
instead of empty string. ie. changeminIdCookie.setValue("");
tominIdCookie.setValue(null);
I understand this is a few years old now, but the answer BalusC gave above isn't entirely correct, nor does Stefan's accepted answer really give all the details.
The path and domain will always be null when you retrieve cookies in Java because they are only necessary in the response for the client browser. However, if you're in the same security domain (regardless of the path), you still have the rights to delete them. Unfortunately, because the path is not included you can't delete the cookie now without explicitly knowing that path. Simply using the same cookie name, but a different path will not work. Those are considered two different cookies, and you will find that instead of deleting the cookie, you just created another one on a different path.
The other problem most developers have is they try to check for the absence of cookies before the response has been committed. A cookie is not removed until the client browser can read the response and remove it from the file system. If you forward to another servlet with the hope that you have deleted a cookie you will find it still exists (since the initial request is the same). In this sense request attributes are a much better option.