6

The only data in the cookie is the session ID. There is no expiration timestamp set when creating it, a session is always evaluated server-side to see if it has expired.

When logging out, the session is destroyed server-side. Is there any point then in expiring the cookie?

Stijn
  • 164
  • 1
  • 8

3 Answers3

7

Telling the browser to expire the cookie is just a form convenience, because the user is always able to override that. After all, the cookie is really on his browser, so you'll always check the expiry of the session on the server side.

That said, I'd still recommend setting an expiry date on cookies. It's a piece of information there in the user's browser, and when it's not needed anymore it's not a bad idea to tell the browser to get rid of it.

Adi
  • 43,953
  • 16
  • 137
  • 168
  • 1
    I respectfully disagree. When you "tell the browser to get rid of it" you are also telling it to **keep** it after the user has closed the browser (until a certain amount of time has passed). This presents its own security risk if the user has not clicked the logout button. See my answer below. – John Wu Dec 20 '13 at 20:53
2

While it would not pose a direct risk I would just expire it anyway. It's only an extra line of code, so why not.

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
1

No. In fact it is harmful.

Technically, you can't expire a session cookie-- the moment you set an expiration date, it becomes a persistent cookie.

I think what you mean to ask is "Is it best to store a session ID in a session cookie or in a persistent cookie?" I would recommend a session cookie, as it is held only in memory and is removed from the cookie jar the moment the user closes the browser. If you use a persistent cookie, it's stored in the filesystem, and it isn't dropped until it expires or until the user clicks the logout button-- and sometimes they forget. The persistent cookie will stick around a while, meaning that a malicious user could come along a few moments later, open a browser, and resume the user's session.

John Wu
  • 9,181
  • 1
  • 29
  • 39
  • Let me guess, you're a PHP (or .Net) developer, right? – Adi Dec 20 '13 at 23:20
  • As far as I know, the "expires" attribute of a cookie is universal to all browsers regardless of server technology. ASP.NET+MVC if you must know. – John Wu Dec 20 '13 at 23:37
  • 1
    The date can be set in the past at the point it is to be **removed**. Only when it is set it can have no date so it will act as a session cookie. If you don't trust the browser to delete it, you could set the cookie value to another value, e.g. empty string. – SilverlightFox Dec 21 '13 at 13:37
  • You should not assume the user will click the logout button (which is necessary if you want the server to set the date in the past), nor should you assume that you can get the browser to do it-- not reliably. Heck, a user may not even have script enabled. So yes, "you" can set the date of a cookie in the past, but "you" are not going to be there personally, and you can't count on the server or the browser to do it in your absence. – John Wu Dec 21 '13 at 23:07