Posts: 8
Threads: 3
Joined: Nov 2024
Reputation:
0
Location: Melbourne, Australia
03-07-2025, 06:22 AM
(This post was last modified: 03-07-2025, 06:28 AM by Peter Home.)
I'm using Intraweb 16.0.4 on Delphi 10.2 (Update 3). In ServerController|CookieOptions I have the following:
CookieNameSuffix: <empty>
HttpOnly: false
RunCookieCheck: true
SameSite: ssoLax
Secure: false
SessionCookies: false
UseCookies: true
I create a cookie with this call:
WebApplication.response.Cookies.AddCookie('Username', xUser, '/', Now + 180);
I create three other cookies in the same manner.
However, upon inspection in the browser, all the cookies are created as session cookies. This is true in Firefox, Chrome and various other browsers.
How do I generate persistent cookies?
Posts: 2,301
Threads: 204
Joined: Mar 2018
Reputation:
87
Location: Auckland, New Zealand
03-07-2025, 10:50 PM
(This post was last modified: 03-07-2025, 10:52 PM by Alexandre Machado.)
(03-07-2025, 06:22 AM)Peter Home Wrote: I'm using Intraweb 16.0.4 on Delphi 10.2 (Update 3). In ServerController|CookieOptions I have the following:
CookieNameSuffix: <empty>
HttpOnly: false
RunCookieCheck: true
SameSite: ssoLax
Secure: false
SessionCookies: false
UseCookies: true
I create a cookie with this call:
WebApplication.response.Cookies.AddCookie('Username', xUser, '/', Now + 180);
I create three other cookies in the same manner.
However, upon inspection in the browser, all the cookies are created as session cookies. This is true in Firefox, Chrome and various other browsers.
How do I generate persistent cookies?
Hi Peter,
This is the code to generate 2 cookies, the first is not a session cookie, the second is a session cookie:
Code: procedure TIWForm1.IWAppFormRender(Sender: TObject);
begin
// Persistent cookie
WebApplication.Response.Cookies.AddCookie({Name=}'NotASessionCookie',
{Value=}'NotASessionCookieValue',
{Path=}WebApplication.CookiePath,
{Expires=}Date + 1);
// Session cookie
WebApplication.Response.Cookies.AddCookie({Name=}'MySessionCookie',
{Value=}'SessionCookieValue',
{Path=}WebApplication.CookiePath,
{Expires=}0);
end;
This is the result:
As you can see, it is the correct expected result.
The key here is the Expires field. When Expires = 0 is provided, the cookie is a session cookie. If Expires is less than zero, the cookie will be removed. If Expires is greater than zero, the cookie becomes a persistent cookie
Posts: 660
Threads: 2
Joined: Mar 2018
Reputation:
36
Location: California, USA
(03-07-2025, 10:50 PM)Alexandre Machado Wrote: As you can see, it is the correct expected result.
But not in the OP'S case.
(03-07-2025, 10:50 PM)Alexandre Machado Wrote: The key here is the Expires field. When Expires = 0 is provided, the cookie is a session cookie. If Expires is less than zero, the cookie will be removed. If Expires is greater than zero, the cookie becomes a persistent cookie
The OP is creating a persistent cookie the same way you are, but it is not persisting.
(03-07-2025, 06:22 AM)Peter Home Wrote: I create three other cookies in the same manner.
However, upon inspection in the browser, all the cookies are created as session cookies. This is true in Firefox, Chrome and various other browsers.
Can you show the actual Set-Cookie header in the responses? Your browser's debugger can provide that to you.
Posts: 2,301
Threads: 204
Joined: Mar 2018
Reputation:
87
Location: Auckland, New Zealand
(03-08-2025, 11:59 PM)rlebeau Wrote: The OP is creating a persistent cookie the same way you are, but it is not persisting.
I can see that, but there is something more at play on his side.
Posts: 8
Threads: 3
Joined: Nov 2024
Reputation:
0
Location: Melbourne, Australia
03-11-2025, 12:44 AM
(This post was last modified: 03-11-2025, 04:04 AM by Alexandre Machado.)
The set-cookie entries in the response headers correctly show a date 180 days in advance.
Code: set-cookie: Username=mait; Path=/;" Expires="Wed, 10 Sep 2025 23:05:51 GMT; SameSite=Lax
set-cookie: xc01=xdyxtpxnmyrm; Path=/;" Expires="Wed, 10 Sep 2025 23:05:51 GMT; SameSite=Lax
set-cookie: xc02=44646551-A7B7-4133-8DD8-7FA1C9669563; Path=/;" Expires="Wed, 10 Sep 2025 23:05:51 GMT; SameSite=Lax
except for the Intraweb cookie (which is not under discussion)
Code: set-cookie: IW_iNTELLiWeb=vFY9aWaXTeF0Y%7EPhNmFniqBKZ%7ES_2; Path=/vFY9aWaXTeF0Y~PhNmFniqBKZ~S;" Expires="Tue, 11 Mar 2025 23:35:52 GMT; SameSite=Lax
The web site in question is xxxxx
You can log in with the credentials "test" "test". If you do, you will see the set-cookie entries in response to clicking the [Log In] button. However, upon immediate inspection of the cookies in the browser, you will see they are set to "Session".
On the surface it may appear that this is not an IntraWeb issue but I would like to get your expert advice before drawing that conclusion. I am not skilled enough to determine why Firefox, Chrome, etc. would determine the set-cookie requests to be "Session" cookies.
Posts: 2,301
Threads: 204
Joined: Mar 2018
Reputation:
87
Location: Auckland, New Zealand
Seems to me that something is wrong... your headers are not correct (missing/mistmatched quotes).
I checked your application and will investigate the headers. Now that I have the address, I edited your previous response and removed the site from there, so you won't have curious "visitors" (but feel free to restore the address if you don't mind - I wouldn't recommend though)
Please write me directly at alexandre at atozed dot com and I will get back to you
Posts: 8
Threads: 3
Joined: Nov 2024
Reputation:
0
Location: Melbourne, Australia
For those who may come across this page later, the cookie issue is fixed from release 16.0.8 onward.
|