Theoretically, could a website remove all cookies it uses?
Usually when a website does not work the website developer says to delete all cookies for all websites. I think they should know what cookies they use and tell us the specific cookies to remove. And along that line, they could provide a way for their website to remove just the cookies that they use, right?
For me, I go to the Application tab of the Developer Tools of the browser and remove the storage, including cookies, there. I think that has never helped and I do not know if it would be the functional equivalent of removing all relevant (the ones that are causing the problem) cookies for the site.
If I knew that removing all cookies would solve a problem then I am willing to do it but usually website people suggest it just because it is easy for them to suggest.
In the current situation, I get signon issues with the PG & E website. I called the customer support and the developer responded by saying to either remove all cookies or use a different browser. Using a different browser works but I do not want to use a different browser as a workaround for their bug and I do not want to remove all cookies unless there is a good reason to remove all of them, including all of them for irrelevant sites. There are very many other websites over many years that are like that.
The old Microsoft MSDN forums were like that; the Microsoft developers often said to remove all cookies and back then I was able to solve the problem by removing specific cookies. Microsoft was just too lazy to be specific about what cookies to remove.
Second party: the website we are visiting; the URL should be in the browser’s address bar
Third party: anyplace in the internet the second party uses
There would be or could be some trust between the second party and any third parties it uses. The second party could make the request when there is a problem and only then; it could be limited to specific situations where there is an error. I do not see a problem with that.
That is the type of inconvenience I am suggesting is unnecessary. Ideally the fix could be done by the website (the second party) automatically and in an appropriate manner. I agree it might be a mistake for the user (the first party) to initiate it.
Definitely. They should know that. They are using the third parties, they know who they are.
The absence of the feature would break nothing except for adding the specified convenience. If they do implement the feature then sure they can also remove it but that can be true of most everything. If that is the best argument against implementing the feature then the answer to my question is that it is definitely possible.
There is one directional trust; Google doesnt trust your site when you put an analytics tracker on it; you dont ask Google to enter an agreement with you.
You’re making a LOT of “good faith” assumptions here that simply cannot be assumed to be true. You are putting into the second party’s hands control of determining the cookie exchange between the first and third party, with no form of check or balance in the hands of the first party.
I assume the answer to the question of could it be done is yes.
I assume the answer to the question of whether it should be done depends on whether other people think it should be.
The answer to the question of would it be done depends on whether people think it should be. Saying it would not be done by assuming people do not want it is a big assumption. My assumption is that it would be done if enough people ask for it but most people do not realize they can ask for it.
Fair enough, but you’re a step ahead of me, cause my answer to “Should” is no, there are too many security concerns involved in letting an external party (the website) determine that the relationship between two parties (the user and the source of the cookie) should change or terminate.
I concur and agree. But; when it comes to developing with security in mind, you code for the lowest common denominator to prevent problems from the bad apples, even if the good ones would never trigger them.
Why do we have parameterized queries and never trust user input in PHP? Because SQL injection is a thing. Do hard working people with good intentions inject SQL that will expose your database? No. But do you code to their standard, or the one that protects you from those that do.
Yes, a website can remove all cookies it uses. There are different ways to accomplish this, depending on the programming language and framework used to build the website, but some common methods include:
Sending a “Set-Cookie” HTTP header with the “expires” attribute set to a date in the past, which will cause the browser to delete the cookie.
Using a server-side script to delete cookies from the user’s device.
It’s important to note that while a website can remove its own cookies, it cannot remove third-party cookies that may be set by other websites or services. Additionally, removing all cookies can also delete any preferences that a user has set on a website, like login session, and other data that the website uses to keep track of user’s activities and preferences.
Yes. And that is fundamental to my point. Website support people often say to remove all cookies for all sites. I am suggesting that they be specific about what cookies to delete and it would be better if the website were to remove the specific cookies it uses, including requesting removal by third parties.