Hi all --
I have a question regarding cookie expiriation. I am trying to expire a
cookie immediately, and the Servlet Specification (and javadoc) states
that:
Cookie's public void setMaxAge(int expiry)
Sets the maximum age of the cookie in seconds.
A positive value indicates that the cookie will expire after that many
seconds have passed. Note that the
value is the maximum age when the cookie will expire, not the cookie’s
current age.
A negative value means that the cookie is not stored persistently and
will be deleted when the Web browser
exits. A zero value causes the cookie to be deleted.
My guess, based on this is that cookie.setMaxAge(0) should expire the
cookie immediately, but it seems that with Tomcat the missing step to
re-add the cookie to the response, at which point it is actually
deleted. What I'm wondering is, is this a required step? I've noticed
that Oracle implements this differently, deleting the cookie immediately
when the MaxAge is set to 0. Can anyone who is familiar with the
specification enlighten me?
Thanks,
Anne
