Session cookie that expires - cookies

Is it possible to have a session cookie that expires? Ie. I want the cookie to last maximum 30 minutes, but also get deleted if the user closes his browser. Workarounds are also welcome.
Tried the max-age setting, but that made it not delete when the browser ends.

As far as I know, you can't do both in one cookie. It's one or the other, so either:
set the max-age to 30 minutes to create a persistent cookie; or
don't set the max-age to create a session cookie.
What you could do, however, is create both a session cookie and a 30 minute persistent cookie with different names, and then base your session handling on the presence of both cookies.

Related

gmail for business session cookie not persisting

When I'm logged in to a google account, site responses contain this cookie:
set-cookie:SIDCC=xxx; expires=Mon, 27-Nov-2017 06:12:16 GMT; path=/; domain=.google.com; priority=high
However when I restart Chrome and visit same site, no cookie is sent. Why is that? I thought that expires makes it persistent.
There and multiple cookies are generated by the server and cookies are stored on the browser.
There are few cookies are having the short expiry and some have the long expiry. If cookie gets expired (deleted from the browser) then the browser will not append that cookie in the request. So sever again set the cookie on the browser.
Since cookie are generated by the server and cookies are used by the server so whenever the server wants to set cookie it can change. Usually, some cookies are persistent and some are not persistent always.
So there will be a case some cookie is stored for a long time duration but server used to the keep on changing. So, In that case, it will set the cookie again.
As per your example, this SIDCC cookie is used by the google apps. So this cookie is kept on changing the other cookie like SID and HSID are not changing on browser reopen. There few cookies like NID, SAPISID, and Compass is also changing. The SAPISID is changing after the few transaction or after a particular transaction.

Django, setting cookie

Django: Cookie set to expire in 30 seconds is actually expiring in 30 minutes? does
hr = HttpResponse('ok')
hr.set_cookie('user_id', user_id, max_age=30)
while https://stackoverflow.com/a/25179642/433570 does
request.session[user_id] = True
And both says we are setting cookie.
What's the difference between the two?
Can I set the expiration with the request.session method?
In short, cookies are intended to be stored in client side while sessions are stored in server-side (unless you're using cookie based session).
Users can clear http cookies from their browsers but they can't do anything about the sessions on your server. Clearing sessions is up you and your settings. There are some django settings you can use to determine their age like SESSION_COOKIE_AGE. For http cookies it's possible to set attributes like max_age, expires.
Choosing which one to use depends on your requirements; are you going to store sensitive data, is permanence important etc.
References:
Django sessions
Django request-response methods including set_cookie
Wikipedia HTTP cookies

How to expire F5 APM session on browser close with alternate timeout

We are using the F5 APM to control access to our webapp, but are having some issues regarding expiration rules.
The scenario we want is that the cookie expires 12 hours after creation, or upon browser close, whichever comes first.
Despite our efforts, it would seem that we only have 1 of two options
set the cookies "Expires" property to 12 hours (or max-age)
don't set the "Expires" property at all
The first option successfully allows for the cookie to expire after 12 hours, but if the browser closes, the cookie is persisted until that time, so only one of the 2 conditions is met.
The second option will expire the cookie on browser close, but will not expire if the browser is open for 12 hours or more.
Is there a setting with the F5 APM that will expire the session on the F5 side, while the cookie can remain a session cookie on the browser side?
The best way to accomplish what you are trying to do with APM is to use a session cookie for the APM MRH cookie, and then set the Maximum Session Timeout setting to 12 hours (the value is set in seconds) on the Access profile under Properties in the Settings section (on version 11.x, may be in a slightly different place on v10.x). This will do exactly what you are trying to do.

Should I return the cookie in every web response?

When a user login in my website, it returns a cookie with two hours expire. The cookie is not returned in following calls, so after two hours the cookie expires even when the user is still using the website, and then redirected to the login page.
So I think I know the solution, but is it a good practice return the cookie with the "expire" updated in every call?
Cheers.
It's not a huge deal to set a session cookie in every server response, especially since the client is already sending it to the server in every request.
However, you can do better than that. If the client comes in with a cookie that's bound to expire, say, less than 1 hour and 50 minutes from now, you can send them a new cookie that's set to a new, 2-hour expiration date. You can easily keep track when a client cookie is set (and is therefore bound to expire) in your session handling code.
It boils down to why not? It solves the timeout problem, and has no drawbacks.
The only side effect is the additional bandwidth necessary to transfer the cookie, but this is completely negligible. If you do care about that bandwidth, only resend the cookie every n minutes.

Clear cookies on browser close

How to clear the cookies that has been stored through my asp.net mvc(C#) application, when the user closes the browser?
Is there any option to create a cookie such that it expires once the browser closed?
I need to use cookies, because i will store some of the values to be maintained until the browser is closed.
For example, During sign in i may store the userid in cookie, which i can use for my application processes till the bwoser closes.
Session will expire after some particular time, which i need to overcome with using cookies
Sessions are usualy used for this. According to Wikipedia, when no expiration date is set, a cookie is cleared when the user closes the browser.
The cookie setter can specify a deletion date, in which case the cookie will be removed on that date. If the cookie setter does not specify a date, the cookie is removed once the user quits his or her browser.
As mentioned in this SO question:
Response.Cookies("cookie_name").Expires = Session.Timeout;
you can use this script and call it in the body tag
<body onunload="dc()">
</body>
<script type="text/javascript">
function dc(){
document.cookie = 'access=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
}
</script>
When I set my cookie to expire in the past or did not set it at all, it caused by SSO login to get into an infinite loop with my site. Probably I configured my site wrong to work with the SSO login.
But what worked for me was just adding 2 seconds to the cookie expiration time.
trackCookie.Expires = DateTime.Now.AddSeconds(2);
This gives the cookie the validity on login. And expires it soon after. So on close of the browser, the cookie is deleted.