Login

Peter Home · (This post was last modified: 03-07-2025, 06:28 AM by Peter Home.)

I'm using Intraweb 16.0.4 on Delphi 10.2 (Update 3). In ServerController|CookieOptions I have the following:

CookieNameSuffix: <empty>
HttpOnly: false
RunCookieCheck: true
SameSite: ssoLax
Secure: false
SessionCookies: false
UseCookies: true

I create a cookie with this call:

WebApplication.response.Cookies.AddCookie('Username', xUser, '/', Now + 180);

I create three other cookies in the same manner.

However, upon inspection in the browser, all the cookies are created as session cookies. This is true in Firefox, Chrome and various other browsers.

How do I generate persistent cookies?

***Alexandre Machado*** · (This post was last modified: 03-07-2025, 10:52 PM by Alexandre Machado.)

(03-07-2025, 06:22 AM)Peter Home Wrote: I'm using Intraweb 16.0.4 on Delphi 10.2 (Update 3). In ServerController|CookieOptions I have the following:

CookieNameSuffix: <empty>
HttpOnly: false
RunCookieCheck: true
SameSite: ssoLax
Secure: false
SessionCookies: false
UseCookies: true

I create a cookie with this call:

WebApplication.response.Cookies.AddCookie('Username', xUser, '/', Now + 180);

I create three other cookies in the same manner.

However, upon inspection in the browser, all the cookies are created as session cookies. This is true in Firefox, Chrome and various other browsers.

How do I generate persistent cookies?

Hi Peter,

This is the code to generate 2 cookies, the first is not a session cookie, the second is a session cookie:

Code:
procedure TIWForm1.IWAppFormRender(Sender: TObject);

begin

  // Persistent cookie

  WebApplication.Response.Cookies.AddCookie({Name=}'NotASessionCookie',

                                            {Value=}'NotASessionCookieValue',

                                            {Path=}WebApplication.CookiePath,

                                            {Expires=}Date + 1);

  // Session cookie

  WebApplication.Response.Cookies.AddCookie({Name=}'MySessionCookie',

                                            {Value=}'SessionCookieValue',

                                            {Path=}WebApplication.CookiePath,

                                            {Expires=}0);

end;

This is the result:

As you can see, it is the correct expected result.

The key here is the Expires field. When Expires = 0 is provided, the cookie is a session cookie. If Expires is less than zero, the cookie will be removed. If Expires is greater than zero, the cookie becomes a persistent cookie

**rlebeau** · 03-08-2025, 11:59 PM

(03-07-2025, 10:50 PM)Alexandre Machado Wrote: As you can see, it is the correct expected result.

But not in the OP'S case.

(03-07-2025, 10:50 PM)Alexandre Machado Wrote: The key here is the Expires field. When Expires = 0 is provided, the cookie is a session cookie. If Expires is less than zero, the cookie will be removed. If Expires is greater than zero, the cookie becomes a persistent cookie

The OP is creating a persistent cookie the same way you are, but it is not persisting.

(03-07-2025, 06:22 AM)Peter Home Wrote: I create three other cookies in the same manner.

However, upon inspection in the browser, all the cookies are created as session cookies. This is true in Firefox, Chrome and various other browsers.

Can you show the actual Set-Cookie header in the responses? Your browser's debugger can provide that to you.

***Alexandre Machado*** · 03-09-2025, 07:49 PM

(03-08-2025, 11:59 PM)rlebeau Wrote: The OP is creating a persistent cookie the same way you are, but it is not persisting.

I can see that, but there is something more at play on his side.

Peter Home · (This post was last modified: 03-11-2025, 04:04 AM by Alexandre Machado.)

The set-cookie entries in the response headers correctly show a date 180 days in advance.

Code:
set-cookie: Username=mait; Path=/;" Expires="Wed, 10 Sep 2025 23:05:51 GMT; SameSite=Lax

set-cookie: xc01=xdyxtpxnmyrm; Path=/;" Expires="Wed, 10 Sep 2025 23:05:51 GMT; SameSite=Lax

set-cookie: xc02=44646551-A7B7-4133-8DD8-7FA1C9669563; Path=/;" Expires="Wed, 10 Sep 2025 23:05:51 GMT; SameSite=Lax

except for the Intraweb cookie (which is not under discussion)

Code:
set-cookie: IW_iNTELLiWeb=vFY9aWaXTeF0Y%7EPhNmFniqBKZ%7ES_2; Path=/vFY9aWaXTeF0Y~PhNmFniqBKZ~S;" Expires="Tue, 11 Mar 2025 23:35:52 GMT; SameSite=Lax

The web site in question is xxxxx

You can log in with the credentials "test" "test". If you do, you will see the set-cookie entries in response to clicking the [Log In] button. However, upon immediate inspection of the cookies in the browser, you will see they are set to "Session".

On the surface it may appear that this is not an IntraWeb issue but I would like to get your expert advice before drawing that conclusion. I am not skilled enough to determine why Firefox, Chrome, etc. would determine the set-cookie requests to be "Session" cookies.

***Alexandre Machado*** · 03-11-2025, 04:07 AM

Seems to me that something is wrong... your headers are not correct (missing/mistmatched quotes).

I checked your application and will investigate the headers. Now that I have the address, I edited your previous response and removed the site from there, so you won't have curious "visitors" (but feel free to restore the address if you don't mind - I wouldn't recommend though)

Please write me directly at alexandre at atozed dot com and I will get back to you

Peter Home · 03-11-2025, 10:48 PM

For those who may come across this page later, the cookie issue is fixed from release 16.0.8 onward.

Login
Username:
Password:	Lost Password?
	Remember me