RE: CookiesManagerUtil#deleteCookies does not work in some cases

Olaf Kock, modified 1 Year ago.

CookiesManagerUtil#deleteCookies does not work in some cases

New Member Post: 1 Join Date: 9/4/23 Recent Posts

When using Liferay recommended way to add SameSite: none to JSESSIONID cookie https://help.liferay.com/hc/en-us/articles/12648655215885-SameSite-cookie-attribute it also affects other cookies (custom ones and Liferay ones like "COMPANY_ID", "COOKIE_SUPPORT" etc

This is generally fine as far as I can tell.

The issue is if we also have https site and "secure" attribute is added to the cookie. In such case adding cookie works but removing it with CookiesManagerUtil#deleteCookies does not as the deletion of cookie does not include secure=true attribute. Looking at the code of CookiesManagerImpl#deleteCookies confirms that:

cookie.setSecure(secure);

is missing.

Tested with CE GA89 but same behavior is present on master branch: https://github.com/liferay/liferay-portal/blob/master/modules/apps/cookies/cookies-impl/src/main/java/com/liferay/cookies/internal/manager/CookiesManagerImpl.java#L222

7.4.3.89-ga89 cookies

Zsigmond Rab, modified 1 Year ago.

RE: CookiesManagerUtil#deleteCookies does not work in some cases

Liferay Master Posts: 764 Join Date: 1/5/10 Recent Posts

Hi Rafal,

It's planned to implement the support of the __Secure- prefix also during implementing the https://liferay.atlassian.net/issues/LPD-10595.

Regards,
Zsigmond

Community

Company

Feedback

Ask Questions and Find Answers

Important:

Ask is now read-only. You can review any existing questions and answers, but not add anything new.

But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:

discuss.liferay.com

RE: CookiesManagerUtil#deleteCookies does not work in some cases