The MaxAge of -1 signals that you want the cookie to persist for the duration of the session. You want to set MaxAge to 0 instead.

MaxAge 为 -1 表示您希望 cookie 在会话期间持续存在。您希望将 MaxAge 设置为 0。

From the API documentation:

从API 文档：

A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits. A zero value causes the cookie to be deleted.

负值表示 cookie 不会持久存储，将在 Web 浏览器退出时删除。零值会导致 cookie 被删除。

Keep in mind that a cookie is actually defined by the tuple of it's name, path, and domain. If any one of those three is different, or there is more than one cookie of the same name, but defined with paths/domains that may still be visible for the URL in question, you'll still see that cookie passed on the request. E.g. if the url is "http://foo.bar.com/baz/index.html", you'll see any cookies defined on bar.com or foo.bar.com, or with a path of "/" or "/baz".

请记住，cookie 实际上是由它的名称、路径和域的元组定义的。如果这三个中的任何一个不同，或者有多个相同名称的 cookie，但定义的路径/域对于相关 URL 可能仍然可见，您仍然会看到该 cookie 在请求中传递。例如，如果 url 是“ http://foo.bar.com/baz/index.html”，您将看到在 bar.com 或 foo.bar.com 上定义的任何 cookie，或者路径为“/”或“/巴兹”。

Thus, what you have looks like it should work, as long as there's only one cookie defined in the client, with the name "SSO_COOKIE_NAME", domain "SSO_DOMAIN", and path "/". If there are any cookies with different path or domain, you'll still see the cookie sent to the client.

因此，只要客户端中只定义了一个 cookie，名称为“SSO_COOKIE_NAME”、域“SSO_DOMAIN”和路径“/”，您所拥有的看起来应该可以工作。如果有任何具有不同路径或域的 cookie，您仍然会看到发送到客户端的 cookie。

To debug this, go into Firefox's preferences -> Security tab, and search for all cookies with the SSO_COOKIE_NAME. Click on each to see the domain and path. I'm betting you'll find one in there that's not quite what you're expecting.

要对此进行调试，请进入 Firefox 的首选项 -> 安全选项卡，然后搜索所有带有 SSO_COOKIE_NAME 的 cookie。单击每个以查看域和路径。我敢打赌你会在那里找到一个与你期望的不太一样的。

This is code that I have effectively used before, passing "/"as the strPath parameter.

这是我之前有效使用的代码，"/"作为 strPath 参数传递。

public static Cookie eraseCookie(String strCookieName, String strPath) {
    Cookie cookie = new Cookie(strCookieName, "");
    cookie.setMaxAge(0);
    cookie.setPath(strPath);

    return cookie;
}

Cookie[] cookies = request.getCookies();
if(cookies!=null)
for (int i = 0; i < cookies.length; i++) {
 cookies[i].setMaxAge(0);
}

did that not worked? This removes all cookies if response is send back.

那没有用吗？如果响应被发回，这将删除所有 cookie。

In my environment, following code works. Although looks redundant at first glance, cookies[i].setValue("");and cookies[i].setPath("/");are necessary to clear the cookie properly.

在我的环境中，以下代码有效。虽然看起来冗余乍看之下，cookies[i].setValue("");和cookies[i].setPath("/");是必要的，正确清除该cookie。

private void eraseCookie(HttpServletRequest req, HttpServletResponse resp) {
    Cookie[] cookies = req.getCookies();
    if (cookies != null)
        for (Cookie cookie : cookies) {
            cookie.setValue("");
            cookie.setPath("/");
            cookie.setMaxAge(0);
            resp.addCookie(cookie);
        }
}

One special case: a cookie has no path.

一种特殊情况：cookie 没有路径。

In this case set path as cookie.setPath(request.getRequestURI())

在这种情况下，将路径设置为 cookie.setPath(request.getRequestURI())

The javascript sets cookie without path so the browser shows it as cookie for the current page only. If I try to send the expired cookie with path == /the browser shows two cookies: one expired with path == /and another one with path == current page.

javascript 设置没有路径的 cookie，因此浏览器仅将其显示为当前页面的 cookie。如果我尝试使用path == /浏览器发送过期的 cookie 会显示两个 cookie：一个过期，path == /另一个过期path == current page。