Everything I read about cookies says that setting the cookie expiration time to zero should make it a "session" cookie, which the browser will delete after exiting.
http://www.cookiecentral.com/faq/ says that:
"... usually a session is the time during which the browser is open for ..."
http://php.net/manual/en/function.setcookie.php says:
"If set to 0 or omitted, the cookie expires at the end of the session (when the browser closes).
However, some experiments in Firefox (3.0.8) show that:
- cookies set as a session and protected are deleted upon exit
- cookie is set as a session, only not deleted on exit
Opera (9.64) behaves as I expected, deleting session cookies on exit, whether it is set as safe or not.
I wanted to be able to rely on this in the web application I’m working on (having a secure cookie and an unsafe cookie like a “registered login”) and their expiration along with real time or 0 for the session), but it seems that even if it is in the standard, then the browsers are not consistent enough to rely on it: /
Is this a browser error, expected behavior and / or actual lifetime of session cookies not defined in the standard?
source
share