在Java中管理会话Cookie

Question

I'm working in a java web application that should not allow a user to open it in 2 different tabs, and I'm using session cookies for that. It seems to work fine in most scenarios, but the problem is that the cookies are not cleared when the browsers exits. This is how I set the cookies:

String sCookie = "mycookie=true;Path=/;Domain=.mydomain.com;HttpOnly";
        if (!response.containsHeader("Set-Cookie")) {
            response.setHeader("Set-Cookie", sCookie);
        } else {
            response.addHeader("Set-Cookie", sCookie);
        }

As I understand, if I don't specify the Expires field, the cookie should be deleted on browser close. This is how I validate if the cookie exists:

Cookie[] cookies = request.getCookies();
        for (Cookie cookie : cookies) {
            if ("mycookie".equals(cookie.getName()) && Boolean.valueOf(cookie.getValue())) {//some error}}

Is there any problem with this code? meaning, can I set the cookie with response.setHeader and then check it with request.getCookies() ? Sometimes I have problems deleting the cookie manually and then when I restart the browser the problem continues.

This is how I manually delete the cookie (on tab close):

String sCookie = "mycookie=;Path=/;Domain=.mydomain.com;HttpOnly";
        if (!response.containsHeader("Set-Cookie")) {
            response.setHeader("Set-Cookie", sCookie);
        } else {
            response.addHeader("Set-Cookie", sCookie);
        }

Thanks in advance
UPDATE
This is how I create the cookie:

Cookie c = new Cookie("mycookie","true");
        c.setDomain(".mydomain.com");
        c.setPath("/");
        c.setValue("true");
        response.addCookie(c);

This is how I delete the cookie:

for (Cookie c : request.getCookies()) {
            if ("mycookie".equals(c.getName())) {
                c.setMaxAge(0);
                c.setValue("");
            }
        }

But still not working. Actually, now the cookie is not deleted when I close the tab (this was working fine in my previous version with "Set-Cookie" :S).Another detail is that I'm not seeing my cookie in the Resources tab of Chrome's developer tools

Answer 1

As a general hint, you'd better use the response.addCookie(..) method and possibly use Cookie.setMaxAge(-1) .

That said, that should be the default, so in order to understand the problem, you should use Firebug (or any browser developer tools) to inspect your cookies and check their max age. Before and after closing the browser. Eg you may have some leftover cookie.

Answer 2

Actually you should set the cookies in different way:

Cookie myCookie = new Cookie();  // create your cookie
// set path, and other attributes you need

// add the cookie to the response
response.addCookie(myCookie);

Then to make a Cookie expire: :

myCookie.setMaxAge(0);

Also, in order to clean completely:

myCookie.setValue("");
myCookie.setPath("/");

So, you have to get all the cookies in the request, identify your's and clean it with something like this:

List<Cookie> cookies = request.getCookies();

for (Cookie cookie : cookies) {
    // identify your cookie
    if (identified) {
        cookie.setMaxAge(0);
        cookie.setValue("");
        cookie.setPath("/");
    }
}

If cookie.getName("Set-Cookie") does not match your Cookie , debug your code to see what name is assigned in the response.setHeader("Set-Cookie", sCookie);