Setting expiry for JSESSIONID

[MohanR]

Hi,

           How do add an expiry value to the JSESSIONID cookie without changing anything else ? This is to test session cookie behaviour in the browser. 

Thanks,

Mohan  

 static function OnBeforeResponse(oSession: Session) {

        if (m_Hide304s && oSession.responseCode == 304) {

            oSession["ui-hide"] = "true";

        }

if (oSession.["X-CLIENTIP"].indexOf(/*private*/"172.16.") != 0) 

         { 

    var sCookie = oSession.oResponse["JSESSIONID"]; 

          } 

    }

[EricLaw]

If the goal is to change the expiration of a cookie as it is being set then you need to edit the Set-Cookie response header's Expires attribute.

But I think you're asking something different: How can I remove/expire a cookie that was set by a previous response?

You could just write a rule that deletes it from the outbound Cookie header in subsequent requests, but the browser itself would still think it had the cookie, and it would be seen by JavaScript, etc.

So, you probably do want to remove it. To do so, you'd need to use code like this:

 if (oSession.["X-CLIENTIP"].indexOf(/*private*/"172.16.") != 0) 

         { 

             // tell the browser to discard the cookie:

             oSession.oResponse.headers.Add("Set-Cookie", "JSESSIONID=expired; path=/; expires=Thu, Jan 01 1970 00:00:00");

     var sCookie = oSession.oResponse["JSESSIONID"]; 

          } 

Note that the attributes (like path and optionally domain) must exactly match the attributes that were set when the cookie was originally set.

-Eric

[MohanR]

Actually it is the other question but the answer is similar. Is it ? I have JSESSIONID that does not have an expiry date. It is a session cookie. Firefox has a facility to restore session cookies after a crash or when it is restarted. This is causing trouble in our banks due to it security risks.

So I wanted to set a past expiry date for JSESSIONID in the hope that when I close Firefox from the task manager it will expire because Firefox window is closing.

Thanks,

Mohan

[EricLaw]

I think you're confused about how cookies work.

 

If you put a past expiration on a cookie (regardless of whether that cookie was a session cookie or a persistent cookie), it is immediately deleted. It is not sent on any subsequent requests.

 

If you attempt to simulate a crash using an "End Process" or similar command, the process is killed; it doesn't have the opportunity to run any code to delete cookies or anything like that.

 

Browsers' crash recovery mechanisms are specifically designed to preserve cookies in the event of a crash; if your goal is to have any crash log the user out, you need to pursue a different architecture.