Chrome and cookies

[ginerjm]

For some time I have used cookies and they have worked perfectly for me.  I am able to set one after a successful login and when the user clicks on my 'Sign Off' button I am able to delete the cookie by setting the expiration to something like 'time()-3600' and 'false' as my cookie value.  I always use '/' as my path and my domain name for the domain.  These are static.  

 

I recently began experimenting with using Chrome as my browser instead of IE and after several days with it I suddenly discovered that I cannot Sign Off my apps.  I do the sign off but then can come right back in to my app without signing in again.  Even more puzzling is that if I close out the Chrome session and open an IE one I then have to login.

 

Anyone have a clue what is going on ?

 

PS - This is all done with plain PHP, no JS

Edited May 5, 2017 by ginerjm

[requinix]

Look at your cookies in Chrome (dev tools > Application > Storage > Cookies) to see if the login cookie is still there. Also use the Network tab when signing off to see what headers your server is returning.

 

Even more puzzling is that if I close out the Chrome session and open an IE one I then have to login.

Why is that surprising? They're two different programs. It's not like they share cookies.

[ginerjm]

Really?  Cookies are unique to browsers?  Really?

 

Without looking at the tools yet, I can only assume that my login cookie IS still there since my security check lets me into my appl., ie, the cookie must exist.  Again - all this worked great before I started experimenting with Chrome.  Don't make me think that my whole security process is flawed!  

 

Ok - according to chrome://settings/cookies my login cookie is still present after my appl thinks that it has deleted it.

 

If browsers don't share cookies, then why doesn't PHP need to perhaps handle them differently based upon the browser in use?  Or is that taken care of behind the scenes?

 

And if I am able to do this thing re: the headers, what should I be looking for?  I know nothing about headers other than the ones I send from my scripts.

Edited May 5, 2017 by ginerjm

[NotionCommotion]

Yes, cookies are unique to each browser.  Regarding "Even more puzzling is that if I close out the Chrome session and open an IE one I then have to login", this would be puzzling only if you were previously logged on via IE and thus that browser should already have a cookie set.

 

Maybe you had Chrome "automatically save this password" the first time you logged on?

[Jacques1]

Really?  Cookies are unique to browsers?  Really?

 

Cookies are unique per browser profile. A system-wide or even just browser-wide cookie storage would be awful in terms of security, privacy and isolation of different usages.

 

Just because I have, say, the cookies for my work in one Firefox profile doesn't mean I want every single browser on the PC to send the cookies with every request.

 

 

 

And if I am able to do this thing re: the headers, what should I be looking for?

 

As you might have guessed: Set-Cookie

[ginerjm]

Ok - I just did this

 

In the dev tools I found the cookies listing and I deleted my login cookie.  Suddenly now the appl request my password.  And just as suddenly when I sign off from that same app the cookie goes away.

 

So - why didn't that cookie go away before when I signed off?

[Jacques1]

Since we're neither sitting in front of your screen nor have any information, that's impossible to tell.

[Psycho]

Really?  Cookies are unique to browsers?  Really?

 

Although others answered this already, I thought I'd provide some add'l clarification. Each browser, when receiving a cookie, will store that cookie on the user's machine. That location is different per browser and by windows user (I assume oterh OSes do something similar). So, for Chrome, the cookies are stored in the following locaiton

 

 

C:\Users\<your_username>\AppData\Local\Google\Chrome\User Data\Default\

This should make it perfectly clear why cookies are not shared between browsers (or users)

[ginerjm]

Thank you for the further clarification.  Makes it more obvious.

 

But still doesn't answer the (now moot) question as to why my appl couldn't delete the existing cookies that apparently were imported from IE when I switched over to Chrome.

[Jacques1]

Again, how are we supposed to investigate this?

 

Maybe the Set-Cookie for deletion wasn't sent. Maybe its parameters didn't match the original cookie. Maybe it's something else.

 

If you think the problem is still there, you'll have to reproduce it and then use the browser tools to analyze the communication.

 

// Browsers don't import cookies. This guess can be ruled out.

Edited May 5, 2017 by Jacques1

[ginerjm]

I think the problem is cleared up as I said earlier.  Deleting all the cookies thru the browser and then re-establishing them now lets my app delete them.

[requinix]

It's possible you had multiple cookies. They're not unique just by name but also by parameters - a different domain or path is enough to create (or expire) a second cookie.

[ginerjm]

No that wasn't it.