You can only really expire cookies on the server

January 25, 2010

(Every so often I feel like stating outright something that I have previously mentioned in asides in other entries. Today is one of those times.)

Here is an important corollary of the basic rule of website security: if you want your cookies to expire you must force them to expire on the server, not count on web browsers to expire them for you. Neither using session cookies nor putting an explicit expiry time on your non-session cookies will actually make your cookies expire if the user doesn't want them to. Session cookies don't work because users may keep their browser sessions running for weeks or longer, and users can perfectly well edit cookie expiry times for non-session cookies (I've done it to reduce the annoyance level of being repeatedly prompted for a site login).

So you need something on the server to make cookies expire, no matter what the client tells you. If you use session IDs, you need to put the expiry time in your database record for the session. If you don't use session IDs, you need to put the expiry time in the login or whatever cookie and include it in what you sign (and authenticate).

(In the long run it may be better to put in a creation time instead of an expiry time. Using a creation time and then computing the expiry time on the fly in your application means that you can change the expiry duration later without having to rewrite database records or the like.)

Written on 25 January 2010.
« How I should have done password crypto for DWiki
Why the modern age is great »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Jan 25 00:42:17 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.