How to delete cookies on an ASP.NET website
Solution 1
Try something like that:
if (Request.Cookies["userId"] != null)
{
Response.Cookies["userId"].Expires = DateTime.Now.AddDays(-1);
}
But it also makes sense to use
Session.Abandon();
besides in many scenarios.
Solution 2
No, Cookies can be cleaned only by setting the Expiry date for each of them.
if (Request.Cookies["UserSettings"] != null)
{
HttpCookie myCookie = new HttpCookie("UserSettings");
myCookie.Expires = DateTime.Now.AddDays(-1d);
Response.Cookies.Add(myCookie);
}
At the moment of Session.Clear()
:
- All the key-value pairs from
Session
collection are removed.Session_End
event is not happen.
If you use this method during logout, you should also use the Session.Abandon
method to
Session_End
event:
- Cookie with Session ID (if your application uses cookies for session id store, which is by default) is deleted
Solution 3
This is what I use:
private void ExpireAllCookies()
{
if (HttpContext.Current != null)
{
int cookieCount = HttpContext.Current.Request.Cookies.Count;
for (var i = 0; i < cookieCount; i++)
{
var cookie = HttpContext.Current.Request.Cookies[i];
if (cookie != null)
{
var expiredCookie = new HttpCookie(cookie.Name) {
Expires = DateTime.Now.AddDays(-1),
Domain = cookie.Domain
};
HttpContext.Current.Response.Cookies.Add(expiredCookie); // overwrite it
}
}
// clear cookies server side
HttpContext.Current.Request.Cookies.Clear();
}
}
Solution 4
Unfortunately, for me, setting "Expires" did not always work. The cookie was unaffected.
This code did work for me:
HttpContext.Current.Session.Abandon();
HttpContext.Current.Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
where "ASP.NET_SessionId"
is the name of the cookie. This does not really delete the cookie, but overrides it with a blank cookie, which was close enough for me.
Solution 5
I just want to point out that the Session ID cookie is not removed when using Session.Abandon as others said.
When you abandon a session, the session ID cookie is not removed from the browser of the user. Therefore, as soon as the session has been abandoned, any new requests to the same application will use the same session ID but will have a new session state instance. At the same time, if the user opens another application within the same DNS domain, the user will not lose their session state after the Abandon method is called from one application.
Sometimes, you may not want to reuse the session ID. If you do and if you understand the ramifications of not reusing the session ID, use the following code example to abandon a session and to clear the session ID cookie:
Session.Abandon(); Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
This code example clears the session state from the server and sets the session state cookie to null. The null value effectively clears the cookie from the browser.
Karthik Malla
Programmer, Security Advisor, Cryptography, Entrepreneur,
Updated on April 07, 2021Comments
-
Karthik Malla about 3 years
In my website when the user clicks on the "Logout" button, the Logout.aspx page loads with code
Session.Clear()
.In ASP.NET/C#, does this clear all cookies? Or is there any other code that needs to be added to remove all of the cookies of my website?