Forum Discussion

Nimbostratus

Feb 13, 2016

Force to terminate active session cookie

I have https virtual servers with session cookie (HTTP cookie insert) for 3 hours expiration settings. I would like to configure it to terminate active cookie session after 3 hours even the user stil...

Employee

Feb 13, 2016

Session cookies can be deleted by resetting them with an expiration value in the past. For example:

HTTP::respond 302 Location "https://somewhere.else.com" "Set-Cookie" "MyCookie=0;path=/;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\""

It's important to understand that a cookie is generally defined by its name and path, so:

MyCookie=1;path=/
MyCookie-1;path=/foo

are separate cookies and the browser agent will treat them as such. The point being that when you delete a cookie via setting an expiration, you must exactly match the name and path of the cookie stored by the browser. As to your question, if your application is setting the cookie in the first place, you'll need to "tag" it somehow with a timestamp. You can either add the timestamp to the cookie value, or keep a local table entry that maps the cookie's unique value (assuming it has a unique value) to a timestamp. When it's time to remove the cookie, either generate a redirect or inject the cookie into the HTTP response flow.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)