If an application attempts to set a persistent cookie, but the browser's security settings are configured to block persistent cookies, will the browser treat it as a session cookie instead and store it until the end of the browsing session?
You would need to know this if you wanted to store the id of a user's shopping basket or similar. You'd like it to use a persistent cookie if the browser accepts it, otherwise fall back to a session cookie.
OK, I got impatient and did some experimenting myself.
Blocked persistent cookies don't get implicitly "downgraded" to session cookies, they're not stored at all - see experiment below.
You might be thinking "yeah, that's obvious, what part of the word 'blocked' did you not understand?". It's just something to bear in mind if you want to use a persistent cookie and fall back to a session cookie.
In the shopping basket scenario above, the best approach might be to store the basket id in both a persistent cookie and a session cookie. If the persistent cookie is blocked, then at least you can use the session cookie during the rest of the browser session. On the user's next visit to the site (after the session cookie has been deleted) you can restore their basket using the persistent cookie if it's available.
Here's an experiment that I ran in Internet Explorer 11.
Step 1. Store some example cookies with settings that accept both session and persistent cookies
In IE, open Internet Options - Privacy Tab - Advanced Button For First-party Cookies, select "Accept" and check "Always allow session cookies"
Browse to http://stackoverflow.com, open F12 developer tools and run the following script in the console window:
var expiry = new Date();
expiry.setDate(expiry.getDate() + 7);
// set a persistent cookie
document.cookie='persistent1=test;path=/;expires=' + expiry.toUTCString();
// set a session cookie
document.cookie='session1=test;path=/';
document.cookie;
document.cookie outputs "persistent1=test; session1=test" as we'd expect.
Close and re-open IE and run "document.cookie" again from the console. The persistent cookie remains but the session cookie has gone.
Nothing new so far and this is stating the obvious. However, session cookie behaviour varies among browsers and could confuse the experiment - for example, Chrome doesn't always delete session cookies.
Step 2. Store some example cookies with settings that accept session cookies but block persistent cookies
Delete browsing history so we're starting fresh.
In IE, open Internet Options - Privacy Tab - Advanced Button For First-party Cookies, select "Block" and check "Always allow session cookies"
Browse back to http://stackoverflow.com and run the above script again.
This time, document.cookie outputs "session1=test" - only the session cookie has been stored. The blocked persistent cookie has not been stored at all and is not available, not even as a session cookie.
Persistent cookie remains as persistent. Session cookies are only cookies for a session. Persistent cookies are persistent and that says it ALL
