There is a session cookie even if I don't log in

Question

I delete all cookies for the site in my browser, check cookies again: no cookies. Reload example.com, check cookies: SESSID (my php session cookie).

Shouldn't there be no cookies at all if I don't log in? What can be causing this?

I imagine one possible cause: flash messages. But I'm not using them in example.com, I only check whether there is a flash message to print, and do nothing if there isn't.

I tried disabling CSRF protection, but didn't work.

This is the response according to the profiler, right after deleting the cookies and issuing a request: http://i.imm.io/LSRr.jpeg

Answer 1

I opened an issue for this: https://github.com/symfony/symfony/issues/6036

Apparently the session can be created even if you don't store anything in it.

Answer 2

Check your config files for this

framework:
    session:
        auto_start: true

There are many reasons a session could be created without logging in. A third party bundle could be creating a session, session.auto_start could be enabled in your php.ini, or your particular security configuration could be creating a session automatically. Using CSRF tokens in your forms will also create sessions.

Answer 3

Most websites use cookies for much more then remembering your username and password. they are created to check when you last visited the site, if you have any custom settings set up for the site, to remember user name and password for automatic login.

So yes, it is normal for most websites to create a cookie or more every time you first visit it, and then update those with each visit.

Also, i think the SESSID will only come up in some browsers and is used to check the session id against the server.

What browser are you using? It might be a cookie created by the browser and not the website.