Recipe 10.6 Altering or Removing a Cookie That Has Already Been Set

Problem

You want to overwrite or remove an existing cookie.

Solution

Send a cookie with the same name and path as an existing cookie to overwrite the existing cookie. To delete a cookie, send a cookie with the same name and path but set the Expires attribute to a date in the past.

Discussion

You can overwrite a cookie and optionally provide different values for its attributes (such as the cookie value) by including a cookie in a response header that has the same name and path as an existing cookie. For example, imagine a servlet has set a cookie on the client with the following response header:

Set-Cookie: newcookie=1051642031398; Expires=Wed, 28-Apr-2004 18:47:11 GMT; Path=/home

This cookie can be overwritten on the client by changing its cookie value, but not the name and path:

Set-Cookie: newcookie=A1lnew; Expires=Wed, 28-Apr-2004 18:52:50 GMT; Path=/home

This response header will replace newcookie with a cookie of the same name. The new version has a new value (A1lnew) and an Expires attribute value.

Deleting a Cookie

You can delete a cookie by sending a response header to the client with the same cookie name and Path value, but with an Expires attribute value that represents a date in the past. With Java's Cookie API, you simply call the javax.servlet.http.Cookie.setMaxAge( ) method with an argument value of 0. Example 10-7 is the JSP of Recipe 10.2. This time the JSP is deleting mycookie by setting the maxAge property to 0 using jsp:setProperty.

Example 10-7. Deleting an existing cookie

<jsp:useBean id="cookieBean" class="com.jspservletcookbook.CookieBean" />
<jsp:setProperty name="cookieBean" property="name"  value="mycookie" />
<%-- delete the cookie by calling Cookie.setMaxAge(0) --%>
<jsp:setProperty name="cookieBean" property="maxAge"  value="0" />
<jsp:setProperty name="cookieBean" property="value"  value="finished" />
<jsp:setProperty name="cookieBean" property="path"  value=
    "<%= request.getContextPath( ) %>" />
<jsp:setProperty name="cookieBean" property="cookieHeader"  value=
    "<%= response %>" />
<%-- rest of JSP continues --%>

Cookies can be deleted only by a Set-Cookie response header emanating from the same domain that created the cookie, with the same cookie name and Path attribute. Here is what the response header from the deleting JSP looks like:

HTTP/1.1 200 OK
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: mycookie=finished; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/home
Transfer-Encoding: chunked
Date: Tue, 29 Apr 2003 19:18:59 GMT
Server: Apache Coyote/1.0

Note that the Expires attribute value is a date in the past. As a result, the client will no longer send the mycookie cookie in its request headers when it makes a request to the same domain at the /home context path. However, it may send other cookies (with different names) that were created during prior visits to the same domain and context path.

The browser user can delete a cookie from his machine anytime he wants, so always plan accordingly.

See Also

Recipe 10.1 on setting a cookie with a servlet; Recipe 10.2 on creating an array from all of the request's cookies; Recipe 10.3 on setting a cookie with a JSP; Recipe 10.4 on using a servlet to read cookies; Recipe 10.5 on reading cookie values with a JSP; the RFC 2109 document dealing with cookies: ftp://ftp.rfc-editor.org/in-notes/rfc2109.txt; Netscape's preliminary specification for cookies: http://wp.netscape.com/newsref/std/cookie_spec.html; the Java Cookie API: http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/http/Cookie.html.