Could a website remove all cookies it uses?

Theoretically, could a website remove all cookies it uses?

Usually when a website does not work the website developer says to delete all cookies for all websites. I think they should know what cookies they use and tell us the specific cookies to remove. And along that line, they could provide a way for their website to remove just the cookies that they use, right?

For me, I go to the Application tab of the Developer Tools of the browser and remove the storage, including cookies, there. I think that has never helped and I do not know if it would be the functional equivalent of removing all relevant (the ones that are causing the problem) cookies for the site.

If I knew that removing all cookies would solve a problem then I am willing to do it but usually website people suggest it just because it is easy for them to suggest.

In the current situation, I get signon issues with the PG & E website. I called the customer support and the developer responded by saying to either remove all cookies or use a different browser. Using a different browser works but I do not want to use a different browser as a workaround for their bug and I do not want to remove all cookies unless there is a good reason to remove all of them, including all of them for irrelevant sites. There are very many other websites over many years that are like that.

The old Microsoft MSDN forums were like that; the Microsoft developers often said to remove all cookies and back then I was able to solve the problem by removing specific cookies. Microsoft was just too lazy to be specific about what cookies to remove.

Probably Delete cookies inside browser for website domain on home page - PHP - SitePoint Forums | Web Development & Design Community says it is possible. I think people should not accept an answer that says to remove all cookies; people should tell websites that they (provide a way to) remove the cookies themselves, in the website.

Theoretically, a website could expunge cookies they created from your browser when you visit their site.

They could not, however, expunge third-party cookies that were created by things that were loaded when you visited their site, like Google cookies, etc.

It’s beyond the security veil for them to do so, unless said third-party also provides a mechanism for expunging.

2 Likes

Thank you. Yes that clarifies things.

I assume that if the third-party sites provided the feature then the website could use that to clear the cookies.

Theoretically? Sure.

Are you going to put a feature into your cookie-powered plugin that lets a third party (the website) tell you to expunge your cookies on behalf of the first-party contact between you and the user?

And how have you asserted that the third party has the user’s blessing to tell you that? (this is the problem - you need a three-way communication on a two-way channel)

Now that said, anticipating the follow up;

Could the website tell the user “Here’s all the places you’ll have to ask to remove cookies set by this site”?

Maybe? It would require the website to:

  1. be aware of every cookie given by every third party they add to their website, or third parties that third party also uses
  2. make sure that every one of those third parties would have to have a mechanism for deleting cookies
  3. make sure that none of those third parties ever change their software to add more or remove old cookies

… I dont particularly think many websites are going to bite on that level of requirement.

We need to define some things.

  • First party: us
  • Second party: the website we are visiting; the URL should be in the browser’s address bar
  • Third party: anyplace in the internet the second party uses

There would be or could be some trust between the second party and any third parties it uses. The second party could make the request when there is a problem and only then; it could be limited to specific situations where there is an error. I do not see a problem with that.

That is the type of inconvenience I am suggesting is unnecessary. Ideally the fix could be done by the website (the second party) automatically and in an appropriate manner. I agree it might be a mistake for the user (the first party) to initiate it.

Definitely. They should know that. They are using the third parties, they know who they are.

The absence of the feature would break nothing except for adding the specified convenience. If they do implement the feature then sure they can also remove it but that can be true of most everything. If that is the best argument against implementing the feature then the answer to my question is that it is definitely possible.

There is one directional trust; Google doesnt trust your site when you put an analytics tracker on it; you dont ask Google to enter an agreement with you.

You’re making a LOT of “good faith” assumptions here that simply cannot be assumed to be true. You are putting into the second party’s hands control of determining the cookie exchange between the first and third party, with no form of check or balance in the hands of the first party.

You are making many assumptions too.

It would be better to limit the discussions to the technical capabilities instead of assuming what a business’s motivations are.

The technical ability conversation ended at “Theoretically, sure”.

Youve got your Could; the next consideration is Should, followed by Would.

I assume the answer to the question of could it be done is yes.

I assume the answer to the question of whether it should be done depends on whether other people think it should be.

The answer to the question of would it be done depends on whether people think it should be. Saying it would not be done by assuming people do not want it is a big assumption. My assumption is that it would be done if enough people ask for it but most people do not realize they can ask for it.

Fair enough, but you’re a step ahead of me, cause my answer to “Should” is no, there are too many security concerns involved in letting an external party (the website) determine that the relationship between two parties (the user and the source of the cookie) should change or terminate.

And for me, once should is no, would is moot.

That must be determined by them.

So you would say that browsers should let Javascript access your clipboard, because “that must be determined by them”. Or that you should be able to cross origin scripts to load other sites’ content.

At some point, there is a security threshold that cant be crossed, because bad actors WILL cross it if given the opportunity.

You cant write the internet on the premise that everyone is going to make choices for the benefit of the end user above themselves.

shrug

If that is done when the third-part cookies are created and modified then yes it seems very reasonable to do that to remove them. If not then the issue is not relevant.

Fortunately not all developers believe that. Many developers work hard to make the end-user experience convenient for the end-user.

I concur and agree. But; when it comes to developing with security in mind, you code for the lowest common denominator to prevent problems from the bad apples, even if the good ones would never trigger them.

Why do we have parameterized queries and never trust user input in PHP? Because SQL injection is a thing. Do hard working people with good intentions inject SQL that will expose your database? No. But do you code to their standard, or the one that protects you from those that do.

Yes. Websites should not use third-party cookies and other third-party data.

Good luck finding a website of any decent size and use that doesnt have an advertiser (hey look, third party data) or use tools to track analytics about their visitors (hi Google).

Yes, a website can remove all cookies it uses. There are different ways to accomplish this, depending on the programming language and framework used to build the website, but some common methods include:

  • Using the JavaScript document.cookie property to delete specific cookies.
  • Sending a “Set-Cookie” HTTP header with the “expires” attribute set to a date in the past, which will cause the browser to delete the cookie.
  • Using a server-side script to delete cookies from the user’s device.

It’s important to note that while a website can remove its own cookies, it cannot remove third-party cookies that may be set by other websites or services. Additionally, removing all cookies can also delete any preferences that a user has set on a website, like login session, and other data that the website uses to keep track of user’s activities and preferences.

Also, it’s good to mention that, as a best practice, websites should provide a clear and concise cookie policy, and inform the users about the type of cookies they are using and the purpose of them, allow users to opt-out of cookies if they wish to.

Yes. And that is fundamental to my point. Website support people often say to remove all cookies for all sites. I am suggesting that they be specific about what cookies to delete and it would be better if the website were to remove the specific cookies it uses, including requesting removal by third parties.

To be fair, thats mostly just so their site can put the cookies back, but “the right way”. S’not to remove and keep them removed.