Friday, April 29, 2011

Should a web browser delete all `session' (expiry = 0) cookies on exit?

Everything I read about cookies says that setting the expiry time of a cookie to zero should make it a `session' cookie, which the browser will then delete upon exit.

http://www.cookiecentral.com/faq/ says that :

"...generally a session is the length of time that the browser is open for..."

http://uk2.php.net/manual/en/function.setcookie.php says :

"If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes)."

However, some experimenting in Firefox (3.0.8) shows that:

  • cookies set as session and secure get deleted on exit
  • cookies set as session only do not get deleted on exit

Opera (9.64) behaves as I would expect, deleting the session cookies upon exit whether set as secure or not.

I wanted to be able to rely on this in a web-app I'm working on (having a secure cookie and an insecure cookie as a "logged-in" flag and having them expire together, either with a real time or 0 for a session), but it seems that even if it's in the standard then browsers are not consistent enough to rely on it :/

Is this a bug in the browser, expected behaviour, and/or is the actual lifetime of session cookies not really defined in the standard?

From stackoverflow

  • You should never rely on client-side features.

    The feature you're working on is usually implemented storing the session ID client-side and the real user info server-side (its ID, whether he's logged in or not, his personal info, etc).

    Also bear in mind cookies get sent in every request, so the less you store in a cookie, the better.

    dwc : Note that "never rely" doesn't mean you can't try to take advantage of client-side features. Set cookie expire times as it should work, but make completely sure your server-side code handles old, invalid cookies.
    Seb : Totally agree with dwc. You _can_ take advantage of client-side features; just don't think they will be always available with every user and every request.
    Legooolas : That's a really rather important point that I have completely missed. Assuming that the expiry will work for this in all browsers will always give me this problem. I guess I'll have to find another way to do this... and it seemed quite elegant until now :/
Posted by Ku XI at 10:03 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)