Weird CGI Cookie Problem

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Really weird. I go to set a cookie: (with the values login and password)

my $cookie = $CGI->cookie(
                                -name=>'stflogin',
                                -value=>$CGI->param("login"),
                                -expires=>'+1m');
my $other_cookie = $CGI->cookie(    
                                -name=>'stfpassword',
                                -value=>$CGI->param("password"),
                                -expires=>'+1m');
print $CGI->header(-cookie=>[$cookie,$other_cookie]);
[download]

which works fine and as expected. I use different code to delete the cookie:

my $cookie = $CGI->cookie(
                                -name=>'stflogin',
                                -value=>"");
my $other_cookie = $CGI->cookie(
                                -name=>'stfpassword',
                                -value=>"");
print $CGI->header(-cookie=>[$cookie,$other_cookie]);
[download]

The result is hardly as I expected:
$ENV{HTTP_COOKIE} is

stflogin=login; stfpassword=password; stflogin=; stfpassword=

Whats up with that? When I use ->cookie() it gives me the value set by the first chunk of code (not the "delete cookie" code.) What am I doing wrong?

Comment on Weird CGI Cookie Problem Select or Download Code

Replies are listed 'Best First'.
Re: Weird CGI Cookie Problem by tachyon (Chancellor) on Jul 19, 2001 at 07:19 UTC
The CGI.pm cookie() method sets a cookie. To delete a cookie here is a quote from the Netscape Cookie Spec: "If a CGI script wishes to delete a cookie, it can do so by returning a cookie with the same name, and an expires time which is in the past. The path and name must match exactly in order for the expiring cookie to replace the valid cookie. This requirement makes it difficult for anyone but the originator of a cookie to delete a cookie." To explicitly delete you cookie this should work fine: `my $cookie = $CGI->cookie( -name => 'stflogin', -value => '', -expires => '-1d'); my $other_cookie = $CGI->cookie( -name => 'stfpassword', -value => '', -expires => '-1d'); print $CGI->header(-cookie=>[$cookie,$other_cookie]);` [download] You are not explicitly setting a domain or path so the default should remain the same both setting and deleting. Hope this helps. Update It's been bugging me all day so I just want to say that setting cookies on the clients machine called login and password worries me. It is not a very secure thing to do. It might be better to set a client ID cookie and leave passwords and logins where they belong - securely encrypted on the server (outside the doc tree of course :-). If you are planning on denying access by deleting a cookie from the client side I presume you know that cookies are text files that I can view, copy, delete, edit or otherwise munge as I see fit. In other words you have very little control over what happens to them once on a client machine. Anyway I feel better now. cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply] [d/l]

Replies are listed 'Best First'.

Re: Weird CGI Cookie Problem
by tachyon (Chancellor) on Jul 19, 2001 at 07:19 UTC

The CGI.pm cookie() method sets a cookie. To delete a cookie here is a quote from the Netscape Cookie Spec:

"If a CGI script wishes to delete a cookie, it can do so by returning a cookie with the same name, and an expires time which is in the past. The path and name must match exactly in order for the expiring cookie to replace the valid cookie. This requirement makes it difficult for anyone but the originator of a cookie to delete a cookie."

To explicitly delete you cookie this should work fine:

my $cookie = $CGI->cookie(
                                -name    => 'stflogin',
                                -value   => '',
                                -expires => '-1d');
my $other_cookie = $CGI->cookie(    
                                -name    => 'stfpassword',
                                -value   => '',
                                -expires => '-1d');

print $CGI->header(-cookie=>[$cookie,$other_cookie]);
[download]

You are not explicitly setting a domain or path so the default should remain the same both setting and deleting. Hope this helps.

Update

It's been bugging me all day so I just want to say that setting cookies on the clients machine called login and password worries me. It is not a very secure thing to do. It might be better to set a client ID cookie and leave passwords and logins where they belong - securely encrypted on the server (outside the doc tree of course :-). If you are planning on denying access by deleting a cookie from the client side I presume you know that cookies are text files that I can view, copy, delete, edit or otherwise munge as I see fit. In other words you have very little control over what happens to them once on a client machine. Anyway I feel better now.

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

[reply]
[d/l]