Share via

How to: Delete a Cookie

You cannot directly delete a cookie on a user's computer. However, you can direct the user's browser to delete the cookie by setting the cookie's expiration date to a past date. The next time a user makes a request to a page within the domain or path that set the cookie, the browser will determine that the cookie has expired and remove it.


Calling the Remove method of the Cookies collection removes the cookie from the collection on the server side, so the cookie will not be sent to the client. However, the method does not remove the cookie from the client if it already exists there.

  1. Determine whether the cookie exists, and if so, create a new cookie with the same name.

  2. Set the cookie's expiration date to a time in the past.

  3. Add the cookie to the Cookies collection object.

    The following code example shows how to set a past expiration date on a cookie.

    If (Not Request.Cookies("UserSettings") Is Nothing) Then
        Dim myCookie As HttpCookie
        myCookie = New HttpCookie("UserSettings")
        myCookie.Expires = DateTime.Now.AddDays(-1D)
    End If
    if (Request.Cookies["UserSettings"] != null)
        HttpCookie myCookie = new HttpCookie("UserSettings");
        myCookie.Expires = DateTime.Now.AddDays(-1d);

Compiling the Code

This example requires:

  • An ASP.NET Web page.

  • A cookie written previously named UserSettings, as illustrated in the topicHow to: Write a Cookie.

Robust Programming

For security reasons, you can read only cookies that are set by pages that are part of the same domain. If the cookie's Path property has been set, that cookie is also available only to pages and subfolders within that path of the domain.

When reading specific cookie values, test that the cookie exists and that it has a value, otherwise an exception will occur.


The browser can send the data back only to the server that originally created the cookie. However, malicious users can access cookies and read their contents. Do not store sensitive information in a cookie, such as a user name or password. Instead, store a token that you can use to look up the sensitive information on the server. Additionally, cookies can be tampered with, so any data in cookie should be treated with the same measures you use to prevent cross site scripting attacks. See How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to Strings for more information.

See Also


How to: Write a Cookie

How to: Read a Cookie


ASP.NET Cookies Overview

Basic Security Practices for Web Applications

ASP.NET State Management Overview