Home/ Questions/Q 8909029
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T03:20:01+00:00

Background: AspNet web app / C# 3.5 IIS7 VS 2010 Windows 7 When user

  • 0

Background:

  • AspNet web app / C# 3.5
  • IIS7
  • VS 2010
  • Windows 7

When user is authenticated, we create a cookie, this way:

var cookieASP = FormsAuthentication.GetAuthCookie(user.Id, true);
cookieASP.Domain = "x.y.local";

Yes, domain is hard coded for this example.

Using cookies viewer extensions in Firefox 11, I can see that domain of cookie is : .x.y.local, with a leading .. I know that it allows shared cookie between w.x.y.local and q.x.y.local. Ok.

But, when user clicks on disconnect, he is not kicked out…

 var cookieAsp = System.Web.Security.FormsAuthentication.GetAuthCookie(u.Identifiant, true);
 cookieAsp.Expires = DateTime.Now.AddDays(-10);
 Response.Cookies.Set(cookieAsp);
 FormsAuthentication.SignOut();

And with debugger we can see that cookieAsp.Domain is null. And cookie is not removed from browser’s cookies.

If I edit cookie domain (directly from browser), and set its domain to x.y.local without the leading ., cookie is deleted and user disconnected.

I don’t understand why this . is added, and why it is not well understand by the browser.

EDIT (major importance I guess): we are doing such way because if we don’t set domain, then IE8 (only 8) can’t understand our cookie…

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    When you want to remove a cookie, you have to specify the cookie with the exact domain of the cookie you want to remove. The cookies domain is not sent by the browser on a request, so you will always get a null value when you try to inspect it within a debugger session.

    So before Response.Cookies.Set(cookieAsp); add cookieASP.Domain = "x.y.local";.

    • 0