OWASP Session Management Cheat Sheet Cookies > Expire and Max-Age Attributes section (JPCERT Japanese translation), cookies that do not have Expires and Max-Age configured will be forcibly removed when the browser instance ends, so it is strongly recommended that you use this non-persistent cookies for session management.
On the other hand, there are concerns that it may not be obvious when the termination of the browser instance appears in this sentence.
For example, the behavior shown in the following link (at least mine) is contrary to expectations.
(I don't know if it's still the same now because they all seem a little old.)
This time, I'm thinking of managing a session with an expiration date of at least an hour.
Considering the behavior above, I thought it would be okay to use persistent cookies (rather than non-persistent cookies, I think it could be managed (deleted) more reliably than non-persistent cookies), but have you misunderstood/missed any problems?
cookie browser
This problem is quite difficult, but I still think that setting the expiration date for session management cookies should be careful.
This is because, on the other hand, the session can be unintentionally left and re-used.
For example, if a shared PC is set to remain for one hour, there will be a problem that the session will remain.
The problem of browser session maintenance is most likely addressed as a known problem in the information management department, and most of the time it is addressed to maintain the session and not launch the browser.
In that case, if you have an expiration date, you will have the problem of deleting the browser instance and leaving the session because of cookies.
The reason why I said I should be careful is because, for example, this site is
"I think it would be better if the client could do something like ""I use cookies for an hour's expiration date"" or ""I don't set an expiration date for shared computers.""Of course, it depends on the environment and circumstances, such as systems where shared PCs cannot be used.
Also, since the session is only used to match browser and server information, it is a good idea to shorten the retention period of the server-side session.
Even if there are sessions left in the browser, if the server deletes them over a period of time, it will be difficult to maintain the session.Of course, there are convenience issues, so I think you need to check the requirements carefully.
© 2024 OneMinuteCode. All rights reserved.