Search code examples
c#asp.net-core.net-coresession-state

How to delete the session state cookie?

I have an ASP.NET Core MVC project that uses session state to store the name of the document that the user previously opened. This requires the use of a cookie.

Here is the setup in Program.cs:

// Cookies for session state
builder.Services.AddDistributedMemoryCache();
builder.Services.AddSession(options =>
{
    options.IdleTimeout = TimeSpan.FromSeconds(10);
    options.Cookie.Name = Constants.SessionCookieName;
    options.Cookie.HttpOnly = true;
    options.Cookie.IsEssential = false;
});

There is a cookie notice at the top of my website about the use of non-essential cookies. If the user chooses, they can either accept the use of non-essential cookies, or reject the use of non-essential cookies (this is for compliance with data protection regulations in the country I live in).

If the user decides to reject the use of non-essential cookies, then the C# code clears the session state and does not use it again. BUT, the cookie is still there. The user can go to their browser's cookie list, and see it. And because it is encrypted, all the user sees is cypher text, and they just have to take my word for it that I am not storing anything non-essential in there.

The screenshot below is from Edge:

enter image description here

It would be clearer for the users if, when they rejected the use of non-essential cookies, that session-state cookie was deleted.

I have tried numerous ways to delete this session-state cookie. Creating another cookie with the same name in the controllers OnActionExecuting and OnActionExecuted, clearing the session-state, and calling Response.Cookies.Delete but it just will not disappear.

Also, if I manually delete the session-state cookie, and do not store anything in the session-state, the session-state cookie is not re-created. It is only created when I store something in session-state. Unfortunately, it is not deleted when I clear the session-state.

How do I delete the session state cookie?

Solution

  • After a bit more work, I have found my mistake.

    In my code, when the user chooses to no longer grants cookie consent, my code withdraws consent and then adds a response to delete the existing cookie.

    // 1) Withdraw consent
ITrackingConsentFeature? consentFeature = HttpContext.Features.Get<ITrackingConsentFeature>();
consentFeature.WithdrawConsent();

// 2) Delete the session state cookie
this.Response.Cookies.Append(Constants.SessionCookieName, "togo", new CookieOptions()
{
    MaxAge = TimeSpan.Zero,
    Expires = new DateTimeOffset(DateTime.UtcNow.AddDays(-1)),
    HttpOnly = true,
    SameSite = SameSiteMode.Lax
});

    But it appears my code to append a cookie to the response is blocked by the ASP.NET Core MVC code, because cookie consent has just been withdrawn. By swapping the order of the two pieces of code, so deleting the cookie first and then withdrawing consent, I can delete the session state cookie.