2

According to Where are $_SESSION variables stored?: "Usually the session-id is stored in a cookie, but it can also be appended to urls". Once I read that, I asked myseld: so, why is it said that the session-id is deleted when closing the browsers window if it is stored in a cookie?

Then, after Googling a little bit more about it, I found that there are two different types of cookies: session cookies and persistent cookies.

I guess that the session-id is stored in a session cookie, but: beyond the name evidence, why is a session stored in a session cookie and not in a persistent cookie? What is the need of creating a new session-id every time the browser is opened? Why don't re-use it?

Community
  • 1
  • 1
Franzech Domâs
  • 249
  • 2
  • 7
  • Did you read about session cache expire? – Jonas Wilms Aug 07 '16 at 17:27
  • Sorry, but I don't see exactly the relation of the session cache expire with the question. – Franzech Domâs Aug 07 '16 at 17:37
  • If you check the stored cookies you will see that theyre still there. Its not the cookie that expires its the server cache – Jonas Wilms Aug 07 '16 at 17:38
  • But I read all over the Internet: "The problem with sessions is that when you close your browser you also lose the session". So you mean that actually they are not immediately deleted by the client-side, but it tends to be like this because whenever the user re-opens the browser the server session cache configuration has already deleted it? – Franzech Domâs Aug 07 '16 at 17:46
  • Implement your own cookie/cache than you can control when it expires – Jonas Wilms Aug 08 '16 at 05:58

1 Answers1

1

There are many reasons you store sessions in session cookies. One case is public computers: if the previous user has logged into their bank account at the library to pay bills you don't want the next user to be able to log into that session by just looking at the History log in the browser. Being sure that the session is gone by closing the browser alleviates this.

You can also use persistent cookies, and many do too, such as Gmail, but what is then important is to set an expiration time that is not too long. Otherwise, if someone gets hold of the session id they can use that forever. Usually the server will send you a new valid session id some minutes before the next goes out to keep your session alive.

oligofren
  • 20,744
  • 16
  • 93
  • 180