I have the following c# code running on inside a logout page, via a "logout" button.
It works fine on ie and ff, but not on chrome. The issue is that chrome will not set the cookie. The value does not appear at all in the responce header. I have read some reports with similar issues on the net but no proper solution was proposed. Any help would be much appreciated. Thank you for your time. Here is the code that runs in the page:
public class LogOut : ExtendedControlBase
{
void RemoveCookie(string CookieName)
{
HttpCookie myCookie = new HttpCookie(CookieName);
myCookie.Expires = DateTime.Now.AddDays(-100);
Response.Cookies.Add(myCookie);
}
protected override void OnInit(EventArgs e)
{
Session.Remove("SiteUserEmail");
Session.Remove("SiteUserName");
Session.Remove("siteUserId");
Session.Remove("siteUserGroupId");
RemoveCookie("u");
Response.StatusCode = 301;
Response.AddHeader("Location", "/");
Response.Flush();
Response.End();
}
}
A few suggestions:
Try using something like Fiddler to see what exactly happening. My guess is actually the 'logout' link is not working on Chrome as expected.
Try setting the cookie header manually:
Response.AddHeader("Set-Cookie", "u=; expires=Fri, 31-Dec-1999 23:59:59 GMT");
Try setting test headers to check if they are really on the wire:
Response.AddHeader("X-Testing", "Testing");
Note: I haven't tried it. I assume setting arbitrary headers would work in Asp.Net.
My guess is that it's due to setting the expiration date in the past. Have you tried removing myCookie.Expires = DateTime.Now.AddDays(-100);? I believe it will still be treated as a session cookie without that value since the expiration date will not be set in the future.
Related
I try to delete this cookie:
First of all a bit of background. This is a token for verification on different sites within the same domain. I make the central login page. This page is working fine, except the log out. Every other cookie, I want to delete, gets deleted by JQuery cookie $.removeCookie('cookieName'). And I know, I can't delete this from the JavaScript, because of the secure-flag.
So I tried deleting it from a controller method. I call this method via ajax from JavaScript.
$.ajax({ur:'/Login/ExpireToken'})
I can see that it works in the Chrome Console Network Tab.
public void ExpireToken()
{
Response.Cookies.Remove("crowd.token_key");
}
But this, I don't know why, makes a new cookie, with the same name, empty value, the whole domain of the login page and no flags set.
So I tested, if the backend can find the cookie I want.
public string ExpireToken()
{
return Response.Cookies["crowd.token_key"].Value;
}
It returns the correct value and doesn't create a new/false one.
After this I tried to set the expires field to one day in the past or to now. I don't know, why this should work, because the expiration date of this cookie is already in the past.
public void ExpireToken()
{
Response.Cookies["crowd.token_key"].Expires = DateTime.Now.AddDays(-1d);
}
And guess what, it doesn't work. It does literally nothing.
Other ways that don't work
if (Request.Cookies["crowd.token_key"] != null)
{
var c = new HttpCookie("crowd.token_key");
c.Expires = DateTime.Now.AddDays(-1);
Response.Cookies.Add(c);
}
As per the doc, you are doing things right in your las attemp, the one setting the expiration date to yesterday. Quote:
The technique is to create a new cookie with the same name as the
cookie to be deleted, but to set the cookie's expiration to a date
earlier than today. When the browser checks the cookie's expiration,
the browser will discard the now-outdated cookie
I would put a breakpoint and debug to check cookie names, if everything is fine, perhaps the web browser is missbehaving.
HttpCookie aCookie;
string cookieName;
int limit = Request.Cookies.Count;
for (int i=0; i<limit; i++)
{
cookieName = Request.Cookies[i].Name;
aCookie = new HttpCookie(cookieName);
aCookie.Expires = DateTime.Now.AddDays(-1);
Response.Cookies.Add(aCookie);
}
Okay so this one has me stumped. I have written a function that reads the value of a cookie. The logic is
check Response.Cookies in case it has just been written
otherwise read from Request.Cookies to get the previous value
If the cookie has just been written then all is good, and I get the value. However if the cookie has not been written on this visit - it appears to blank the value of the already store cookie.
What?
Here is the code
Note the write happens in a controller
public static void PersistCookie(string cookieName, string cookieValue, bool persistent)
{
var cookie = new HttpCookie(cookieName, cookieValue)
{
Path = "/",
HttpOnly = true,
};
if (persistent)
cookie.Expires = DateTime.Now.AddMonths(6);
HttpContext.Current.Response.SetCookie(cookie);
}
Note the read happens ina partial view
public static string ReadCookieValue(string cookieName, bool checkResponseFirst)
{
if (checkResponseFirst && HttpContext.Current.Response.Cookies[cookieName] != null &&
HttpContext.Current.Response.Cookies[cookieName].Value.HasValue())
return HttpContext.Current.Response.Cookies[cookieName].Value;
return HttpContext.Current.Request.Cookies[cookieName] != null ? HttpContext.Current.Request.Cookies[cookieName].Value : "";
}
It almost seems that just by checking if a cookie has a value, it messes things up.
Thoughts?
Okay so after much more searching on the web, a good work colleague cam up with the following
it looks like I have come across a curiosity in .NET.
Check out this article
http://www.codeproject.com/Articles/3106/On-The-Care-and-Handling-of-Cookies
If you try to access a cookie that doesn't exist in the Response.Cookies collection, it will be created with an empty string in the Value and an Expires date of 01-Jan-0001 00:00. Strangely, it also creates a matching cookie in the Request.Cookies collection if one doesn't already exist.
So if you look at a cookie in the Response then you are indirectly overwriting the cookie on the client machine with an empty cookie, due to expire when the browser closes
So my problem is solved (or should that be unsolvable). As it turns out I have a workaround using the ViewBag but I am glad I was not going crazy!
Thanks for you help
I am not sure you can set cookies in partial views. When setting the cookie with Response.SetCookie, the information is returned to the browser in the Set-Cookie HTTPHeader field. I don't think partial views can set this value, try inspecting your applications response with Fiddler2, after calling Response.SetCookie.
I usually set my cookies with plain Javascript.
I am using c# and mvc. I am trying to write a cookie to the user browser. But after a refresh of the browser the cookie disappears.
This is my code for writing the cookie:
movieCookie = new HttpCookie(cookieName);
movieCookie.Value = "test;
movieCookie.Expires = DateTime.Now.AddDays(30);
//add the cookie
HttpContext.Current.Response.Cookies.Add(movieCookie);
and the one for reading the cookie:
//check if such cookie exist
HttpCookie movieCookie = null;
if (HttpContext.Current.Request.Cookies.AllKeys.Contains(cookieName))
movieCookie = HttpContext.Current.Request.Cookies[cookieName];
Another thing to add is that when I searched "AllKeys" like so:
HttpContext.Current.Request.Cookies.AllKeys
it shows an empty string array, for some reason.
any ideas?
Some possibly silly questions
Check your web-servers time and date, are they set correctly, if they are (in your case) 2 years out it will expire cookies immediately.
Check that cookieName is the same
Check that after setting the cookie to the response your not redirecting before the cookie is set. For a cookie to be set you need to set headers and push them out.
I solved it. It appears that in MVC the "return view" after the cookie creation, cause the cookie not to be saved.
We are using the following code to create the security cookie. Everything works fine in Staging environment, however in the production environment the following code is unable to create a cookie in Safari, Chrome or IE but it does create a cookie successfully in Firefox. anything that you guys think i am missing or is wrong in here ?
public static void SetAuthenticationCookie(CustomIdentity identity)
{
ConfigSettings configSettings = ConfigHelper.GetConfigSettings();
string cookieName = configSettings.CookieName;
if (cookieName == null || cookieName.Trim() == String.Empty)
{
throw new Exception("CookieName entry not found in Web.config");
}
string cookieExpr = configSettings.CookieExpiration.ToString();
string encryptedUserDetails = Encrypt(identity);
HttpCookie userCookie = new HttpCookie(cookieName.ToUpper());
if (cookieExpr != null && cookieExpr.Trim() != String.Empty)
{
userCookie.Expires = DateTime.Now.AddMinutes(int.Parse(cookieExpr));
}
userCookie.Values["UserDetails"] = encryptedUserDetails;
userCookie.Values["Culture"] = configSettings.Customer.Culture;
MyContext.Current.Response.Cookies.Add(userCookie);
}
Safari and IE8 don't accept third-party cookies by default.
When you call out to another domain using JSONP, every cookie set by that script will be blocked by Safari and IE8. There is nothing you can do about that (in IE8, you could add a P3P policy, but that doesn't work in Safari).
There are workarounds for maintaining state across JSONP calls, but it's pretty complicated (you'll have to manage state manually and use document.cookie in the called javascript)
As an alternative, you can ask your users to lower the privacy settings in their browser, but this isn't something worth considering IMHO.
did you check whether you have Web Developer add-on and disabled cookies? or disabled cookies inside of FF?
I've seen this issue related to the server having the incorrect UTC date/time. Firefox accepts regardless of the server date/time but other browsers won't set the cookie if the date/time is outside of a certain margin of error.
Okay, here is the 411 - I have the following event handler in my Global.asax.cs file:
private void Global_PostRequestHandlerExecute(object sender, EventArgs e)
{
if (/* logic that determines that this is an ajax call */)
{
// we want to set a cookie
Response.Cookies.Add(new HttpCookie("MyCookie", "true"));
}
}
That handler will run during Ajax requests (as a result of the Ajax framework I am using), as well as at other times - the condition of the if statement filters out non-Ajax events, and works just fine (it isn't relevant here, so I didn't include it for brevity's sake).
It suffices us to say that this works just fine - the cookie is set, I am able to read it on the client, and all is well up to that point.
Now for the part that drives me nuts.
Here is the JavaScript function I am using to delete the cookie:
function deleteCookie(name) {
var cookieDate = new Date();
cookieDate.setTime(cookieDate.getTime() - 1);
document.cookie = (name + "=; expires=" + cookieDate.toGMTString());
}
So, of course, at some point after the cookie is set, I delete it like so:
deleteCookie("MyCookie");
Only, that doesn't do the job; the cookie still exists. So, anyone know why?
you have to delete your cookie at the same path where you created it.
so create your cookie with path=/ and delte it with path=/ as well..
Have you checked the client-side and server-side cookie domains and paths to ensure they're the same?
Is one cookie secure and the other not?
Other than that, I would suspect server/client clock sync issues, as Erlend suggests.
Weird.. The code you pasted is almost verbatim to this: http://www.quirksmode.org/js/cookies.html which works fine..
I know you are using Ajax, but have you tried quickly knocking it to server side code to see if that works? This may help in figuring if it is a problem with the JS or something else (e.g mystery file locking on the cookie)?
Update
Just had a quick Google, looks like there may be issues with browser settings as well. I don't think your problem is the code here, it's more likely to be something else. I would suggest try the above as PoC and we can move from there. :)
I posted a js cookie util a week or so ago on my blog. This has worked for me on all "A Grade" browsers.
var CookieUtil = {
createCookie:function(name,value,days) {
if (days) {
var date = new Date();
date.setTime(date.getTime()+(days*24*60*60*1000));
var expires = "; expires="+date.toGMTString();
}
else var expires = "";
document.cookie = name+"="+value+expires+"; path=/";
},
readCookie:function(name) {
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++) {
var c = ca[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
},
eraseCookie:function(name) {
createCookie(name,"",-1);
}
};
Have you tried to use ;expires=Thu, 01-Jan-1970 00:00:01 GMT?
Also if a cookie domain was specified during the creation, I've found that you must also specify the cookie domain while trying to delete (expire) it.
Are we sure there's no code that sets the Cookie to HttpOnly (we're not missing anything above)? The HttpOnly property will stop (modern) browsers from modifying the cookie. I'd be interested to see if you can kill it server side like Rob suggests.
I assume you are calling this javascript on the browser side. Which browser are you using, how are you viewing the cookie to confirm it is still there?