Should a web browser delete all `session' (expiry = 0) cookies on exit?

Question

Everything I read about cookies says that setting the expiry time of a cookie to zero should make it a `session' cookie, which the browser will then delete upon exit.

http://www.cookiecentral.com/faq/ says that :

"...generally a session is the length of time that the browser is open for..."

http://php.net/manual/en/function.setcookie.php says :

"If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes)."

However, some experimenting in Firefox (3.0.8) shows that:

• cookies set as session and secure get deleted on exit
• cookies set as session only do not get deleted on exit

Opera (9.64) behaves as I would expect, deleting the session cookies upon exit whether set as secure or not.

I wanted to be able to rely on this in a web-app I'm working on (having a secure cookie and an insecure cookie as a "logged-in" flag and having them expire together, either with a real time or 0 for a session), but it seems that even if it's in the standard then browsers are not consistent enough to rely on it :/

Is this a bug in the browser, expected behaviour, and/or is the actual lifetime of session cookies not really defined in the standard?

Answer 1

You should never rely on client-side features.

The feature you're working on is usually implemented storing the session ID client-side and the real user info server-side (its ID, whether he's logged in or not, his personal info, etc).

Also bear in mind cookies get sent in every request, so the less you store in a cookie, the better.