tags:

views:

633

answers:

1
+1  Q: 

Should a web browser delete all `session' (expiry = 0) cookies on exit?

Everything I read about cookies says that setting the expiry time of a cookie to zero should make it a `session' cookie, which the browser will then delete upon exit.

http://www.cookiecentral.com/faq/ says that :

"...generally a session is the length of time that the browser is open for..."

http://uk2.php.net/manual/en/function.setcookie.php says :

"If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes)."

However, some experimenting in Firefox (3.0.8) shows that:

  • cookies set as session and secure get deleted on exit
  • cookies set as session only do not get deleted on exit

Opera (9.64) behaves as I would expect, deleting the session cookies upon exit whether set as secure or not.

I wanted to be able to rely on this in a web-app I'm working on (having a secure cookie and an insecure cookie as a "logged-in" flag and having them expire together, either with a real time or 0 for a session), but it seems that even if it's in the standard then browsers are not consistent enough to rely on it :/

Is this a bug in the browser, expected behaviour, and/or is the actual lifetime of session cookies not really defined in the standard?

+6  A: 

You should never rely on client-side features.

The feature you're working on is usually implemented storing the session ID client-side and the real user info server-side (its ID, whether he's logged in or not, his personal info, etc).

Also bear in mind cookies get sent in every request, so the less you store in a cookie, the better.

Seb  2009-04-15 15:28:36
Note that "never rely" doesn't mean you can't try to take advantage of client-side features. Set cookie expire times as it should work, but make completely sure your server-side code handles old, invalid cookies.
dwc  2009-04-15 15:34:08
Totally agree with dwc. You _can_ take advantage of client-side features; just don't think they will be always available with every user and every request.
Seb  2009-04-15 16:02:38
That's a really rather important point that I have completely missed. Assuming that the expiry will work for this in all browsers will always give me this problem. I guess I'll have to find another way to do this... and it seemed quite elegant until now :/
Legooolas  2009-04-15 16:13:36

related questions

Make Browser Window Blink in Task Bar
Large File Download
Browser's Default CSS
Disable browser 'Save Password' functionality
What's the simplest way to decremement a date in Javascript by 1 day?
Browser scrollbar
Limitations of screen readers.
Version detection with Silverlight
Best way to fix CSS/JS drop-down problem in IE7 when page includes Google Map
Recommendations for browser add-on tools to help with development
Hyperlinks displaced on IE7
Building Standalone Applications in JavaScript
HTML differences between browsers
Browser Sync accross many machines
Getting selected text in a browser, cross-platform.
How to get PNG transparency working in browsers that don't natively support it?
Best WYSIWYG CSS editor?
Javascript events
Preferred way to use favicons?
IE6: To support or not to support.
Getting the text from a drop-down box
Other browsers
Drag and Drop to a hosted Browser control
How can I tell if a web client is blocking ads?
How can I determine a web user's time zone?