Comment by lapcat
2 days ago
OMG I wish that someone would tell this to Apple.
Apple's developer services, such as App Store Connect, actually use session cookies. It's infuriating.
2 days ago
OMG I wish that someone would tell this to Apple.
Apple's developer services, such as App Store Connect, actually use session cookies. It's infuriating.
Google’s the one I have the most trouble with in this regard. The more things you sign into the worse it gets, seemingly, which really sucks if for example you’ve got a bunch of Android test devices and simulators sharing test accounts. A high profile example is how on the WAN Show, Linus or Luke always get booted out of the show Google Doc and have to sign back in at some point during.
Google is pretty frustrating. I switch between my desktop and laptop frequently and sometimes browsers as well. The reauth dialog pops up two weeks for every login - usually just when I'm about to hop on a meeting.
Uh, session cookies being one of the most fundamental pieces of authentication tech, there's nothing wrong with them. This is like saying, "example.com actually uses HTTPS. It's infuriating."
Do you mean that you have to reauth across domains? Those still use session cookies.
Edit: I'm dating myself here, but as far as I can tell apparently sometime between 2010 and 2011, developers started referring to session cookies as cookies with the lifetime of a browser session and not to cookies which contain session data.
If anyone can correct me on that timeline, I'd appreciate it. Sorry for the confusion in my comment.
No, sites use persistent cookies, which remain on your browser after you have closed the tab. Session cookies are wiped out automatically after every session.
Note that modern web browsers do not define a session end as "when you close your browser" unless you hunt for and enable settings to make them do that. Session cookies will happily survive a browser restart by default, because browser makers know that most users don't consider closing their browser to be ending any kind of session.
I think some developers will interpret the term "session cookie" differently then that, because a "session" is usually just something that's tracked in a backend, and an identifier for this session is often written in a cookie
Hence... Session cookie, even if set without expiration date
Session cookies are cookies that identify a session. They last however long you specify. A bank forces quick session expiry. Amazon doesn't.
Compare https://docs.djangoproject.com/en/5.2/topics/http/sessions/ .
> To use cookies-based sessions, set the SESSION_ENGINE setting to "django.contrib.sessions.backends.signed_cookies".
> When using the cookies backend the session data can be read by the client.
> A MAC (Message Authentication Code) is used to protect the data against changes by the client, so that the session data will be invalidated when being tampered with. The same invalidation happens if the client storing the cookie (e.g. your user’s browser) can’t store all of the session cookie and drops data.
5 replies →
I set my browser to clear cookies on exit so that my cookies cannot be stolen by malware.
4 replies →
> Session cookies are temporary data files stored on a user's device to maintain a user's session on a website or application. They are automatically deleted when the user closes their browser or exits the application, unlike persistent cookies which can store information across sessions.
Most sites do not use session cookies for auth, they use persistent cookies.