We have a webshop that is heavily dependent on cookies.
Normally, we have an order-ID cookie, that is persistent on the website no matter where the user navigates and how many items they put in the basket. This cookie is only meant to be set/changed if the customer has just completed their order (the order status changes on the server) or if they don't have a value for this cookie.
We check for the order status with the server on each page load and change the cookie only if the conditions mentioned above are met.
Recently, some of my colleagues have started experiencing weird behaviour if they click the browser back button. I will explain it using multiple unique versions of the same cookie - A, B and C.
User adds 2 items to basket, their order being identified by cookie A
User clicks on the browser's back button (sometimes they click it multiple times) which shows them a product list, they add another product to basket which they believe is added to order/cookie A.
The user goes to the basket to find only the items from 2. - there, developer tools show that the browser now has cookie B.
We repeat step 2. and go to the basket to find the newly added items added to the order/cookie set A.
Couple of browser backs displays cookie set C.
A few more and we are back to A.
We have experienced this in Internet Explorer 11 and Google Chrome so far.
I have tested it with console.log(document.cookie); in developer tools. The browser seems to be holding multiple versions of the same name-value pair.
The cookie name-value pairs are set using the following javscript function:
I have always been under the impression that once we set a cookie using the same c_name as an existing one, the old version is overwritten. Moreover, the value of our orderID cookie is generated on the server using Guid.NewGuid() in .NET so it is extremely unlikely that a duplicate will be created within the same session. I found out that multiple versions of same cookie can exist when we use different path=/{url_path} for its location, but it can't be the issue here since the cookie is always set using the function above which always uses "path=/" - the root of our domain. We also have a redirect rule to ensure that only the www. version of the domain can be displayed and we have no subdomains.
I have been trying to understand why and how could the browser keep multiple versions of the same name-value pair cookie. If that is the case - how can I detect when this happens in javascript(or .NET on server) and thus avoid it? Another key point of my question is the browser's back button. It seems we are only able to recreate this behaviour when we click it. Refreshing the same page or following a link never replaces the existing cookie. UPDATE: We noticed this behaviour also when using window.location.href = url in JS for sending the user to another page.