Yii is unable to delete cookie created by JavaScript

Hi there,

In one of my controllers I’m using Yii code to only read (and delete) cookies created by scripting language (JavaScript) attached to one of the views. Actually the same as controller renders - i.e. I want to make sure that in certain conditions (“clean” controller invoke, meaning that queryString is empty and action is called without any additional arguments) cookie will be deleted.

I have this piece of code:

$cookie = $cookies[www-reg-cookie'];




        $cookie->httpOnly = FALSE;


        echo('<pre>'.print_r('DELETED!', TRUE).'</pre>');


echo('<pre>$cookies[www-reg-cookie] = "'.print_r($cookies['www-reg-cookie'], TRUE).'"</pre>');

Running it brings me to at least two bad conclusions:

  1. Yii is not able to delete cookie created by JavaScript. Both method presented (run separately or together) failed.

  2. Correct me, if I’m wrong. Since I’m using unset, particular cookie should be unset - i.e. should disappear and become a non-existing object, not just an empty string as value, right? If this is true, then it seems that Yii is… lying! :] Above presented code is executed (I’m getting “DELETED!” message on screen as good as another line saying that cookie is empty, but my browser claims that cookie was NOT removed and so the code reacts as it would not be removed.

As you can see, I thought that the problem lies in httpOnly param of a cookie. After analysing code I found that Yii uses it in setcookie responsible also for deleting a cookie. So I’ve set it to FALSE (I don’t know, what is it’s default value, docs says nothing on this) to make sure that Yii will pass to setcookie. I don’t know if httpOnly is also relevant to deleting a cookie - i.e. if setting this to true would make cookie deleted only to http, but still available to JavaScript.

But the conclusion is that with or without httpOnly set to FALSE and with unset or cookie->delete Yii is not able to delete a cookie created by JavaScript.

And the big question is, what can I (or we) do about it? Is the only way to make JavaScript responsible also for deletion of a cookie?

Maybe you have some character in output before cookie deletion code? For example whitespace.

Write die(’+’); before cookie deletion code and then View Source in your browser if this + is first symbol.

Also you could check if you don’t have BOM problem in some files - http://www.dotvoid.com/2010/04/detecting-utf-bom-byte-order-mark/

in addition for what itpg said,

best practice not to close with ?>


I did as you said and I found that ‘+’ is the only character in the file (view source). I’ve saved file as text file and viewed it in three different editors as good as in Total Commander’s viewer in hex mode. I found out that the file contains exactly three bytes: plus sign, line feed and carriage return. So, there is nothing else in it.

I’m using Netbeans only to edit all files belonging to my Yii application. AFAIK Netbeans is NOT adding BOM to UTF-8 files saved in it.

Does it also means view files? I don’t use ending ?> part in any of my controllers, but I thought that adding this to a view files (which in fact are HTML files) should not affect output or headers sent to browser. Am I wrong?

I found a partial (or work-around) solution for this problem.

Since I want to delete cookie only in certain situation (i.e. queryString is not empty – page called up with additional parameters), I’m able to detect these in controller, pass true/false value to a view, catch it there again and if set to true, call extra jQuery code to delete cookie:

$.cookie("www-reg-cookie", null);

This works fine, but I still has not idea, why Yii is unable to delete cookie, created by JavaScript, by it’s own code?

Hi, again.

I’ve opened a bug report on this. Also Issue 2760 seems to be some kind of similar to this.