Delete cookies On click of a Button
I have requirement to delete certain cookies on click of a button. I could delete browser cookies by adding javascript code document.cookie = cookieName+"=; expires="+pastDate+"; path=/"; But still i need to delete other
session cookies
http only cookies
different domain cookies
Please let me know how to achieve this.
Pegasystems Inc.
US
Hi,
See if the following document helps you out:
https://www.netsparker.com/security-cookies-whitepaper/
Not sure the reasons you need to remove cookies, but keep in mind that cookies with the httponly attribute cannot be accessed via javascript.
Maybe others can respond of they have had similar requirements.
Natwest
IN
Hi Brad,
Thanks for you reply.
I have gone through the link which you have shared. Looks like it contains the Generic Cookie concept & implementation on PHP (Server scripting).
As i already mentioned i have already handled(create/delete) browser level cookies using java script .I have understood that will not work same way for session ,Http only & other secure cookies. The whitepaper also mentioned the same.
It would be great if you provide some input on Pega end. how to handle session ,Http only & other secure cookies.
or let me know how that PHP can help in implementing in Pega.
Pegasystems Inc.
AU
@Presadh8Prem
Do the session cookies not get invalidated when you Log Off from Pega? That would be the net effect of deleting a session cookie, so the "Log Out" action is the "Delete Cookies" button you are after for session cookies.
Other domain cookies won't be influenced by cookie expiry headers sent in responses from Pega domains, so you can't influence these from a button served by a Pega application.
That leaves the httponly cookies. Which ones of these do you need to delete and why?
- If you are not explicitly setting those cookies in your application, then these will be httponly cookies created by the Pega engine and should be left for the Pega engine to manage. What is the impact on leaving any of these unexpired, Pega-managed, httponly cookies in the browser's cache?
- if you are explicitly setting those cookies in your application, you must have some customized Java code in Pega that does this, and similar Java code needs to expire them.
Consider that cookies remaining may be created/managed by middleware in between the Pega server and the browser, like a load balancer. Do the cookie's look Pega-specific? Any cookies on your Pega domain that remain after a Pega logout are likely not Pega-managed.
Natwest
IN
Thanks & Appreciate your effort Braam,
There are cookies which application sets. I can create/delete/update my application based cookies.
But some cookies are getting set from Platform, Organization & other domains side which i don't have control.
I have attached session Cookie from platform side & Different domain cookie which i need to delete. But i couldn't get it for http cookies.
Our application doesn't have Login Log off option unfortunately Its Org wide SSO. I might be terminate the requestor itself but if the user logged in those cookies get loaded again.
Other Domain cookies are advertising cookies, as per Requirement user not allowed to have those cookies when they access from outside Org network. Even its not influenced we need to clean up those cookies.
For Http cookies its not getting set at Pega end or Application end. I trying hard to find from where its getting set.
But we are mainly concentrate on Session cookies then Other domain cookies.
Let me know if anything you want me to try at code level.
Pegasystems Inc.
AU
Hi @Presadh8Prem
If it is a IT requirement to not allow cookies on the user's device, then this needs to be enforced by that IT organization through its Standard Operating Environment (SOE) for the operating systems and browser software that the IT administrators allow to be used.
Ultimately the user's browser cannot prevent web applications from sending cookies in their responses. The SOE needs to be configured to ignore/discard them on receipt if this is important to the organization. It is not practical to have a domain-specific script control the lifecycle of all cookies on a device. This is the browser's responsibility (i.e. the "Clear Cookies" option in the browser's settings) and goes against the principle of cookies.
Specifically to Pega, beyond it not being technically possible - it is not a Pega application's responsibility to manage the cookies issued by other domains (e.g. bing.com in your example).
Hi @Presadh8Prem
If it is a IT requirement to not allow cookies on the user's device, then this needs to be enforced by that IT organization through its Standard Operating Environment (SOE) for the operating systems and browser software that the IT administrators allow to be used.
Ultimately the user's browser cannot prevent web applications from sending cookies in their responses. The SOE needs to be configured to ignore/discard them on receipt if this is important to the organization. It is not practical to have a domain-specific script control the lifecycle of all cookies on a device. This is the browser's responsibility (i.e. the "Clear Cookies" option in the browser's settings) and goes against the principle of cookies.
Specifically to Pega, beyond it not being technically possible - it is not a Pega application's responsibility to manage the cookies issued by other domains (e.g. bing.com in your example).
As for the s_sq cookie issued by pegacloud.net ... I don't recognize it as a Pega Platform cookie. A Google search took me to CookiePedia which suggests this cookie belongs to Adobe SiteCatalyst. At a glance this appears to be a similar offering to Google Analytics. If your client is using Adobe for web analytics of your Pega application, then this is the origin and you should recommend the Adobe product execute its analytics without cookies (if possible). Once again, this is not the Pega Platform's responsibility to control, and any action you take to attempt to expire Adobe cookies from the Pega application may still be undone by however the Adobe product legitimately attempts to maintain its existence.
Depending on the intent of the IT requirement, a Session cookie is typically maintained in the browser's memory only. If the cookie is not persisted on the device's file system, it may not be a violation of the IT policy. Check the browser's support articles to confirm whether Session cookies are persisted and how that aligns to the IT requirement.
Natwest
IN
Thanks Braam ,
I will convey the same to the team. I don't have an idea how do they take it.
If i got anything back i will keep you posted Braam,
Appreciate your effort.