unable to delete cookies

kamesh3183 has asked for the wisdom of the Perl Monks concerning the following question:

i have the following code, which will logout the user.if the user chooses to not close the browser it should terminate the session by deleting the cookies. But it is not able to delete the cookies..can anybody tell the mistakes i have made..

if ($section eq "logout")
{
  check_user();
  #print "Content-type: text/html\n\n";

  $cookie1 = $q->cookie(-name=>'id',
                        -value=>'',
                        -expires=>'-1d'
                        -path    =>'/',
                        -domain  =>'',
                        );
    #added by kamesh..it needs to be fixed
    $cookie2 = $q->cookie(-name=>'pass',
                        -value=>'',
                        -expires=>'-1d'
                        -path    =>'/',
                        -domain =>'',
                        );
  $cookie3 = $q->cookie(-name=>'user_group_id',
                        -value=>'',
                        -expires=>'-1d'
                        -path    =>'/',
                        -domain  =>'',
                        );

    print $q->header(-cookie =>[$cookie1,$cookie2,$cookie3]);

  print "<script language=javascript>";
    print "window.close()";
  print "</script>";

     #my $response = $q->cookie("id");
 my $response = qq|<b>$LANG{'loggedout'}. <a href=$template{'mainfile'
+}?do=main>$LANG{'logbackin'} </a></b>|;
  $template{'response'} = $response;
  parse("$global{'data'}/include/tpl/general");
    exit;
}
[download]

thanks
kamesh

Comment on unable to delete cookies Download Code

Replies are listed 'Best First'.
•Re: unable to delete cookies by merlyn (Sage) on Nov 23, 2004 at 13:31 UTC
Do not trust a deleted cookie to indicate a logout. Instead, use a long-life cookie to "brand" a browser, and associate a branded browser with a "session" on the server side that will eventually time out, or be destroyed if explicit action is taken. I detail the strategy and provide sample code at one of my most-frequently referenced columns. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re: unable to delete cookies by Thilosophy (Curate) on Nov 24, 2004 at 09:31 UTC
If you want to delete the cookie, you have to overwrite it with a new one with an expiration date in the past (you got that right, from what I can see). You can only overwrite a cookie if you use the exact same domain, path, and name settings that you used when creating it. I am not 100% sure if an empty value works (it should though), so to make sure, I use a dummy value, such as '0'. It would be helpful for you to see what cookie headers are actually being sent. I recommend the Mozilla plugin LiveHttpHeaders for that. Very useful for debugging web apps. On a related note, your cookies should not contain anything useful for the user. Best would be a long random number, which only you can associate to a user session. A password is not something you want to store in a cookie, and a user_group_id you receive from a cookie is not trustworthy (the user can change the value easily).	[reply]
Re: unable to delete cookies by TedPride (Priest) on Nov 23, 2004 at 14:59 UTC
Instead of waiting for the cookie to go away, you could just set it to an invalid value. This should be easy to implement with any name / pass combination.	[reply]