cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The case of the reappearing cookies...

matt
Active Contributor

on ‎01-14-2009 4:00 PM

0 Kudos

I've a page with some flow logic in the OnInitialization event. At the end of the flow logic I have 

        request->get_cookies( CHANGING cookies = lt_cookies ).
        request->delete_cookie( 'Mycookie' ).
        request->get_cookies( CHANGING cookies = lt_cookies ).
        CALL METHOD navigation->response_complete.

I test the page from SE80. Through debug, I can see that lt_cookies (after the second get_cookies) no longer has the cookie "Mycookie".

I then run the test again. At the start of my flow logic, I've got 

request->get_cookies( CHANGING cookies = lt_cookies ).

In debug, I look at lt_cookies - and "Mycookie" is listed again!

The whole process is

IF cookie has a value. " Second time page is called
  Do stuff with the cookie value.
  Delete cookie.
ELSE. " First time page is called
  Do some other stuff.
  Set the cookie.
ENDIF.

So I really do need to delete it.

matt

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

GrahamRobbo
Active Contributor
‎01-14-2009 11:02 PM
0 Kudos

Hi Matt,

I just had a quick play with this and I can see your problem.

Perhaps you should use the Mycookie attribute as a flag rather than try and delete it?

Something like..

IF cookie EQ abap_true. " Second time page is called
  Do stuff with the cookie value.
  Set the cookie to abap_false.
ELSE. " First time page is called
  Do some other stuff.
  Set the cookie to abap_true.
ENDIF.

Cheers

Graham Robbo

Show replies
Show replies
matt
Active Contributor
‎01-15-2009 10:33 AM
0 Kudos

This is to do with SSO, and password reverification. The password reverification sets the cookie with the SSO information (encrypted). So we do have to use a cookie. We could use a flag, as you say, but we still have to be able to delete the cookie for security reasons.

matt

matt
Active Contributor
‎01-15-2009 1:13 PM
0 Kudos

Graham

Did you manage to replicate the problem? Do you think this could be a feature (or a bug)? Trouble is I'm not totally confident in web programming, so I'm reluctant to fire off a problem report via OSS only to find out that I've made a stupid mistake!

Thanks

matt

GrahamRobbo
Active Contributor
‎01-15-2009 10:57 PM
0 Kudos

Hi Matt,

sorry this has taken a while. I have been trying to get on a system and for many reasons quite unbelievably I haven't been able to.

Anyway, I have done some research (and reread your code) and this is what I believe you need to do. Most of this info came from [Advanced BSP Programming|http://www.sap-press.com/product.cfm?account=&product=H1903] by Brian McKellar and Thomas Jung.

Firstly, because your cookie is created on the server and then sent to the browser the correct call for setting it is 

response->set_cookie

rather than 

request->set_cookie

as it needs to be set on the HTTP response.

This leads me to assume that the call 

response->delete_cookie

is used to delete a cookie that has been created in the response object before the response is dispatched back to the browser. If I had system access I could try and test this.

You can't delete a client-side cookie from the server because it is actually stored on the browser. There is a call 

response->delete_cookie_at_client

that sets the expiry date of the cookie to Jan 1st 1980 so that the browser will see the cookie as stale and drop it. I would try this first to see if it works.

Finally, if you are actually talking about the SAP SSO cookie itself, there is a function module called 'HTTP_DELETE_SSO2_COOKIE' that I have used in the past to achieve this.

Cheers

Graham Robbo

matt
Active Contributor
‎01-23-2009 11:42 AM
0 Kudos

Still doesn't work. We're not using the SSO framework at this point. But many thanks for your suggestions.

GrahamRobbo
Active Contributor
‎01-25-2009 12:45 AM
0 Kudos

Hi Matt,

I just did a test on a ECC6.0 SP14 system and it seemed to me that it was working correctly.

I created a simple, and stateless, BSP page with just the following Layout

<%@page language="abap" %>
<%@extension name="htmlb" prefix="htmlb" %>
<%
  data: lt_req_cookies type TIHTTPCKI,
  lt_res_cookies type TIHTTPCKI,
  lv_uzeit type string.
  lv_uzeit = sy-uzeit.
  request->get_cookies( CHANGING cookies = lt_req_cookies ).
  response->set_cookie( name = 'MyTestCookie' value = lv_uzeit ).
  "response->delete_cookie_at_client( 'MyTestCookie' ).
  response->get_cookies( CHANGING cookies = lt_res_cookies ).
%>
<htmlb:content design="design2003" >
  <htmlb:page title=" " >
    <htmlb:form>
      <htmlb:tableView id            = "reqcookies"
                       table         = "<%= lt_req_cookies %>"
                       headerText    = "Request Cookies"
                       headerVisible = "TRUE" />
      <hr />
      <htmlb:tableView id            = "rescookies"
                       table         = "<%= lt_res_cookies %>"
                       headerText    = "Response Cookies"
                       headerVisible = "TRUE" />
    </htmlb:form>
  </htmlb:page>
</htmlb:content>

This displays the cookies from the HTTP request (what has come from the browser), sets the MyTestCookie cookie in the HTTP response, and then displays the cookies from the HTTP response (what is going back to the browser).

The first time I execute the BSP I just see a couple of SAP specific cookies in the request called sap-usercontext and sap-appcontext which I will ignore from now on.

In the response cookies I see the MyTestCookie set to the current time as expected.

If I then refresh the browser page to call the BSP again, I see the HTTP request contains the MyTestCookie with the value that was specified in the first request. In the HTTP response I see the same cookie with the value of the current time. Again this is as expected.

Now I comment out the response->set_cookie call and uncomment the response->delete_cookie_at_client call. Now the code should look like this.

<%
  data: lt_req_cookies type TIHTTPCKI,
  lt_res_cookies type TIHTTPCKI,
  lr_cookie type ref to ihttpcki,
  lv_uzeit type string.
  lv_uzeit = sy-uzeit.
  request->get_cookies( CHANGING cookies = lt_req_cookies ).
  "response->set_cookie( name = 'MyTestCookie' value = lv_uzeit ).
  response->delete_cookie_at_client( 'MyTestCookie' ).
  response->get_cookies( CHANGING cookies = lt_res_cookies ).
%>

Now if I refresh the page again to call the BSP application I can see that the MyTestCookie cookie is still passed in the HTTP request with the value that was passed in the previous response. In the HTTP response I see the MyTestCookie has a value of 0 and an expiry of Tue, 01-Jan-1980 00:00:01 GMT.

So the browser should now have received the cookie, seen that it has expired and discard it.

Now if I hit refresh again I see that the HTTP request object no longer contains the MyTestCookie cookie. Again this is as I would expect it to work.

The system I am testing on has SSO enabled, but I don't think that should change the handling of the cookies in any way.

Perhaps you can try this same test on your system to try and diagnose your problem?

Cheers

Graham Robbo

Ask a Question