Deleting cookies

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
As I understand it, detting and deleting cookies has to be done *before*
any other text or headers are sent to the browser.

So, should this example delete all cookies that my session can see?

There is one cookie that seems to live beyond this, and I can't figure
out why.



foreach ($_COOKIE as $ck => $c) {
     $cookies = array();
             $exp = time()-3600;
             $result = setcookie($ck, $c, $exp);
             $cookies[] = "<br />Result =  $result  (setcookie($ck, $c,
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
         <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
         <title>Delete cookies</title>
             echo "<pre>";
             print_r( $cookies);
             echo "</pre>";

Re: Deleting cookies

On 9/27/2010 11:58 AM, MikeB wrote:
Quoted text here. Click to load it

Do all of the cookies have the same path parameter?  I believe all
arguments to setcookie() when unsetting must be supplied as they were
supplied when the cookie was created. That includes, the domain, path,
and  https.

Have a look at the cookie contents with Firefox+Firebug+Firecookie or
Chrome's Developer Tools.

Re: Deleting cookies

Michael wrote:
Quoted text here. Click to load it

OK, so that implies that there is a parameter (attribute) of a cookie
that is NOT in the $_COOKIE variable that is required to know before one
can delete a cookie?  Hmm...


Re: Deleting cookies

On 9/27/2010 1:19 PM, MikeB wrote:
Quoted text here. Click to load it

It sounds like you've got the mystery cookie sorted out and are
beginning to understand better in your other thread. But, yes - there
are additional cookie parameters not readable in the $_COOKIE
superglobal.  $_COOKIE only contains key=>value pairs since the client
browser is responsible for determining which domain and path a cookie
should be sent in the first place.  PHP doesn't need to know the paths &
domains since the web server should never receive the cookie for an
invalid domain or path.

But if you set the cookie yourself, then you know the correct domain &
path to unset it.

Re: Deleting cookies

Michael wrote:
Quoted text here. Click to load it

OK, now this is perhaps not a PHP topic anymore, so if someone know the
right place for this, please tell me.

The cookie I'm struggling with is one named "mbcc" without, of course,
the quotes.

If I search for it in my list of cookies that Firefox has, I find 6
instances of this cookie, for the following sites:

The content on each site is different, as is the expiry time.

In all instances the path is "/" (again, no quotes).

So why does the code in the OP not delete this cookie (at least for
localhost where I'm testing)?

If localhost updates the cookie, then the contents of this cookie is not
visible, for instance, on the site, right?

So the assumption I can make here is that there is some common code
running on oreilly and mrsfields that uses a cookie named mbcc?

But what about localhost?  How did the cookie come to be here?

I'm running EasyPHP with Apache, MySQL, and phpMyAdmin as stuff that has
localhost addresses and then of course my own testing.

But even before I created a cookie, this cookie exists. So now I assume
that one of those three products mentioned above creates and uses this
mbcc cookie? Is that right?

When I added the path argument to the setcookie call, the cookie did get
deleted, but now I don't understand, since / is the default path, it
*should* have been deleted on my first attempt?

PS. i did try and google that cookie name, but I got flooded by
irrelevant hits.  :(


Re: Deleting cookies

On 9/27/2010 2:48 PM, MikeB wrote:
Quoted text here. Click to load it

Yes, other domains are setting cookies in your browser, also.  This is
quite normal.  Whether or not it is similar code is unknown (and

You can only access cookies from the domain for which the cookie is set.
  You cannot access, delete or otherwise do anything to a cookie from
any other domain.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Site Timeline