How do I create a persistent vs a non-persistent cookie?

Question

I can't seem to figure out how to create a persistent vs a non-persistent cookie. How do they differ, say, in the HTTP headers that are sent back?

score 78 · Accepted Answer · edited Oct 07 '21 at 05:46

78

Cookies have an expiration date implicitly or explicitly set which controls how long they last (subject to the user agent actually enforcing it). A cookie may persist only for the duration of the session (or an even shorter period).

If a cookie is valid, it will be passed along with the HTTP request to the domain that it originated from. Only the domain that set the cookie can read the cookie (though there are ways to exploit this, such as cross-site scripting).

If you want a cookie to expire at a specific time, set an expiration date on it using the client or server-side language of your choice.
If you want the cookie to expire when the session ends, don't set an expiration date.

From the RFC (emphasis mine):

The cookie setter can specify a deletion date, in which case the cookie will be removed on that date.

If the cookie setter does not specify a date, the cookie is removed once the user quits his or her browser.

As a result, specifying a date is a way for making a cookie survive across sessions. For this reason, cookies with an expiration date are called persistent.

As an example application, a shopping site can use persistent cookies to store the items users have placed in their basket. (In reality, the cookie may refer to an entry in a database stored at the shopping site, not on your computer.) This way, if users quit their browser without making a purchase and return later, they still find the same items in the basket so they do not have to look for these items again. If these cookies were not given an expiration date, they would expire when the browser is closed, and the information about the basket content would be lost.

edited Oct 07 '21 at 05:46

Community

1
1

answered Oct 06 '10 at 06:21

Tim M.

53,671
14
120
163

And if I only want the cookie to persist for the session, what expiration should I set? – Chung Wu Oct 06 '10 at 17:53
Thanks! Does that mean any Set-Cookie without an expires clause will be a session cookie, and will be lost once the browser restarts? Because that's not what I see... Once I do a Set-Cookie without expires, and restart the browser, I can still read that cookie back. Is that expected? – Chung Wu Oct 06 '10 at 19:00
I double-checked to make sure and posted some additional links. What language/web server are you running that you are seeing this behavior? – Tim M. Oct 06 '10 at 19:11
Man, I'm sorry for turning this into a debugging session! I'm using pylons, but I'm just looking at the HTTP headers right now. After doing Set-Cookie key=something; path=/;, restarting the browser, and reloading the page, I see that cookie still in the request. Not sure what else I'm missing... – Chung Wu Oct 06 '10 at 20:26
No worries. If you look at the actual file system, can you see the cookie stored there? In IE on Vista/Windows 7, the cookies should be in C:\Users\\[user name]\AppData\Local\Microsoft\Windows\Temporary Internet Files – Tim M. Oct 06 '10 at 20:37
6

I finally found out what happened. On Firefox, if you turn on session restore ("When Firefox starts: Show my windows and tabs from last time"), it'll restore even the session cookies when you restart! See https://bugzilla.mozilla.org/show_bug.cgi?id=443354 – Chung Wu Oct 13 '10 at 19:26
1

That's an interesting behavior...on the one hand, it seems like a huge bug, on the other hand, I can see why non-technical users would expect their sessions to just continue. You could theoretically perform limited checks against that scenario by looking to see if the session that the cookie references actually still exists, although I have found that checks that like that can notoriously hard and prone to error. An easier way would be to just write a persistent cookie every time a page was viewed with the date, and check how long it has been since last activity. – Tim M. Oct 14 '10 at 01:27
It seems surprising that just adding a date to a cookie causes it to be persistent. – Robert Moore Jun 15 '17 at 20:08
Can you also do this with `max-age`? – Aaron Franke Nov 19 '19 at 00:51
@AaronFranke - it appears that you can make a cookie persistent with `max-age`: https://tools.ietf.org/html/rfc6265#page-21 – Tim M. Nov 19 '19 at 03:38

score 13 · Answer 2 · edited Oct 18 '17 at 07:34

There two type of cookies in ASP.NET

Persistent cookies:

Cookies are stored on your computer hard disk. They stay on your hard disk and can be accessed by web servers until they are deleted or have expired.

public void SetPersistentCookies(string name, string value)
{
    HttpCookie cookie = new HttpCookie(name);

    cookie.Value = value;

    cookie.Expires = Convert.ToDateTime(“12/12/2008″);

    Response.Cookies.Add(cookie);
}

Non-persistent cookies:

Cookies are saved only while your web browser is running. They can be used by a web server only until you close your browser. They are not saved on your disk.

public void SetNonPersistentCookies(string name, string value)
{
    HttpCookie cookie = new HttpCookie(name);

    cookie.Value = value;

    Response.Cookies.Add(cookie);
}

score 6 · Answer 3 · edited Oct 07 '13 at 08:43

Session cookie

HttpCookie cookie = new HttpCookie("myCookieName", "myCookieValue");
Response.Cookies.Add(cookie);

Cookie with a certain time-stamp (.NET DateTime library)

HttpCookie cookie = new HttpCookie("myCookieName", "myCookieValue");
cookie.Expires = DateTime.Today.AddMonths(12); //or AddMinutes, or AddHours...
Response.Cookies.Add(cookie);

Persistent Cookie

HttpCookie cookie = new HttpCookie("myCookieName", "myCookieValue");
cookie.Expires = DateTime.MaxValue;
Response.Cookies.Add(cookie);

score 0 · Answer 4 · answered Dec 10 '19 at 05:22

Persistent cookies have an expiration date issued to it by the web server. Basically, this type of cookie is saved on your computer so when you close it and start it up again, the cookie is still there. Once the expiration date is reached, it is destroyed by the owner.

Reference: https://www.cookiepro.com/knowledge/what-is-a-persistent-cookie/

If a cookie does not contain an expiration date, it is considered a session/non-persistent cookie.

So, basically persistent cookies come with the expires attribute e.g.

expires="Wdy, DD-Mon-YYYY HH:MM:SS GMT"

How do I create a persistent vs a non-persistent cookie?

4 Answers4

Linked