I’m implementing a “Remember me” feature with cookies.
It’s such a usual feature, and I implemented it a very common way, that many other programmers will probably fall in the trap. I’ve found the solution to the problem (after many hours of search, I’ve to admit), and I hope that by posting it here, I’ll spare some time for somebody.
It was implemented in the Struts2 version of my application and it worked well.
When a user clicks the logout button, I invalidate the HttpSession and set the Cookie.maxAge to 0. Then the response is sent back to the browser and the cookie is removed. The next request that comes from the browser does not contain the cookie anymore.
I check the presence of the cookie in a javax.servlet.Filter.
In the Vaadin version of my application, I’ve troubles that has taken me much time to spot.
So I made a Vaadin test application with that feature only, to isolate the problem, but I could not reproduce: the test application works fine. A logout button removes the cookie. I click another button to trigger the next request and the filter does not detect the cookie anymore. That’s what I expect.
The difference is the login window/form.
In the working test application, I access the following url:
http://localhost:8080/JavaBlackBelt/ui
Firebug console shows me that the (button click) requests are sent to urls like:
http://localhost:8080/JavaBlackBelt/ui/UIDL/?windowName=1784496893
I think that the “UIDL” in the path makes the difference.
In my working test application, click the button to add the cookie and it sends a request to that URL. The response comes back with the “Set-Cookie” http header.
Then, when I inspect the cookies at localhost in firefox, the cookie is there (as expected). Its “path” attribute is: /JavaBlackBelt/ui/UIDL/
I click another button to remove the cookie, and in the http response, I see the set-cookie http header to remove the cookie (maxage set to 0) and the cookie is removed.
In the console, that request/response is shown from that kind of url (with UIDL)
http://localhost:8080/JavaBlackBelt/ui/UIDL/?windowName=1784496893
Now, let’s see the non working version.
To set the cookie, I press a login button. It does not create the cookie yet, but creates a new modal window with a loginForm (inheriting the com.vaadin.ui.LoginForm, we just added the “remember me” check box).
When clicking the login button on the form, something that I do not understand happen: Firebug console does not show the request. I’ve put a breakpoint to see the login button execution, and the ClickListener activates, but firebug shows no request at the console…
When I let the suspended application execute and the response comes back, the modal window closes and I can see the cookie in the firefox cookies list. But the path does not contain “UIDL”. The path is /JavaBlackBelt/ui/
Then, I click the logout button (regular button, no modal window, no LoginForm). I see the request in firebug to
http://localhost:8080/JavaBlackBelt/ui/UIDL/?windowName=1784496893
and the response contains the set-cookie header to clear the cookie. But the cookie is not cleared, it is still in firefox.
I think it’s because the request is to …/JavaBlackBelt/ui/UIDL/… and no cookie with this path is found by firefox. The cookie has another path with no “UIDL”: /JavaBlackBelt/ui/
I changed the server side code that create cookies and clear cookies, in order to set the path to “/”. And now it works.
static public void destroyCookieByName(String name) {
Cookie cookie = findCookie(name);
if (cookie != null) {
cookie.setValue(null);
// By setting the cookie maxAge to 0 it will deleted immediately
cookie.setMaxAge(0);
cookie.setPath("/");
ContextUtil.getHttpServletResponse().addCookie(cookie);
}
}
static public void createCookie(String name, String value) {
Cookie cookie = new Cookie(name, value);
cookie.setMaxAge(15552000);// Cookie is stored for 6 month
cookie.setPath("/"); // So it does not depends on the request path (like /JavaBlackBelt/ui/UIDL) -- John 2009-07-13
ContextUtil.getHttpServletResponse().addCookie(cookie);
}