0

I am considering using http-only cookies to store something similar to a session identifier. After the cookie is read by the server, it needs to be deleted.

My question is simply, is this possible? Can the server tell the browser to delete an http-only cookie?

Oliver
  • 1,465
  • 4
  • 17
  • 2
    "I am considering using http-only cookies to store something similar to a session identifier. After the cookie is read by the server, it needs to be deleted." - you mean you want a cookie that can only be used for a single HTTP request? – Dai May 02 '22 at 00:49
  • 1
    Also, you do know that you _cannot trust remote clients_? Just because the server has requested that a client remove a previously-issued cookie doesn't mean that it actually will, therefore your server-side code needs to maintain knowledge of cookie revocation history... – Dai May 02 '22 at 00:50
  • First comment: No, what is stored in the cookie is a key. The key is used to establish a session. I won't go into this further. Second comment: I do and have considered this. Once the cookie is used, the server will no longer accept it. The reason why I want to delete it is just for clean-up. Is this possible? – Oliver May 02 '22 at 01:23

0 Answers0