Hi there,
In one of my controllers I’m using Yii code to only read (and delete) cookies created by scripting language (JavaScript) attached to one of the views. Actually the same as controller renders - i.e. I want to make sure that in certain conditions (“clean” controller invoke, meaning that queryString is empty and action is called without any additional arguments) cookie will be deleted.
I have this piece of code:
$cookie = $cookies[www-reg-cookie'];
if(isset($cookie))
{
unset($cookies[www-reg-cookie']);
$cookie->httpOnly = FALSE;
$cookies->remove(www-reg-cookie');
echo('<pre>'.print_r('DELETED!', TRUE).'</pre>');
}
echo('<pre>$cookies[www-reg-cookie] = "'.print_r($cookies['www-reg-cookie'], TRUE).'"</pre>');
Running it brings me to at least two bad conclusions:
-
Yii is not able to delete cookie created by JavaScript. Both method presented (run separately or together) failed.
-
Correct me, if I’m wrong. Since I’m using unset, particular cookie should be unset - i.e. should disappear and become a non-existing object, not just an empty string as value, right? If this is true, then it seems that Yii is… lying! :] Above presented code is executed (I’m getting “DELETED!” message on screen as good as another line saying that cookie is empty, but my browser claims that cookie was NOT removed and so the code reacts as it would not be removed.
As you can see, I thought that the problem lies in httpOnly param of a cookie. After analysing code I found that Yii uses it in setcookie responsible also for deleting a cookie. So I’ve set it to FALSE (I don’t know, what is it’s default value, docs says nothing on this) to make sure that Yii will pass to setcookie. I don’t know if httpOnly is also relevant to deleting a cookie - i.e. if setting this to true would make cookie deleted only to http, but still available to JavaScript.
But the conclusion is that with or without httpOnly set to FALSE and with unset or cookie->delete Yii is not able to delete a cookie created by JavaScript.
And the big question is, what can I (or we) do about it? Is the only way to make JavaScript responsible also for deletion of a cookie?