Comment by andrewmcwatters

Comment by andrewmcwatters 5 days ago

17 replies

View on Hacker News

Uh, session cookies being one of the most fundamental pieces of authentication tech, there's nothing wrong with them. This is like saying, "example.com actually uses HTTPS. It's infuriating."

Do you mean that you have to reauth across domains? Those still use session cookies.

Edit: I'm dating myself here, but as far as I can tell apparently sometime between 2010 and 2011, developers started referring to session cookies as cookies with the lifetime of a browser session and not to cookies which contain session data.

If anyone can correct me on that timeline, I'd appreciate it. Sorry for the confusion in my comment.

paxys 5 days ago

No, sites use persistent cookies, which remain on your browser after you have closed the tab. Session cookies are wiped out automatically after every session.

Reply View 14 replies
  • chowells 5 days ago

    Note that modern web browsers do not define a session end as "when you close your browser" unless you hunt for and enable settings to make them do that. Session cookies will happily survive a browser restart by default, because browser makers know that most users don't consider closing their browser to be ending any kind of session.

    Reply View 0 replies
  • ffsm8 5 days ago

    I think some developers will interpret the term "session cookie" differently then that, because a "session" is usually just something that's tracked in a backend, and an identifier for this session is often written in a cookie

    Hence... Session cookie, even if set without expiration date

    Reply View 0 replies
  • thaumasiotes 5 days ago

    Session cookies are cookies that identify a session. They last however long you specify. A bank forces quick session expiry. Amazon doesn't.

    Compare https://docs.djangoproject.com/en/5.2/topics/http/sessions/ .

    > To use cookies-based sessions, set the SESSION_ENGINE setting to "django.contrib.sessions.backends.signed_cookies".

    > When using the cookies backend the session data can be read by the client.

    > A MAC (Message Authentication Code) is used to protect the data against changes by the client, so that the session data will be invalidated when being tampered with. The same invalidation happens if the client storing the cookie (e.g. your user’s browser) can’t store all of the session cookie and drops data.

    Reply View 5 replies
  • [removed] 5 days ago
    [deleted]
    Reply View 0 replies
  • koakuma-chan 5 days ago

    I set my browser to clear cookies on exit so that my cookies cannot be stolen by malware.

    Reply View 4 replies
    • paxys 5 days ago

      Why do you think malware can't steal your cookies when the browser is open (and I assume it is open for most of the day)?

      Reply View 1 reply
      • koakuma-chan 5 days ago

        Because (at least less sophisticated) malware just steals your browser files which contain cookies. I am assuming of course the browser is smart enough not to write cookies to disk if I set it to clear cookies on exit.

        Reply View 0 replies
voxic11 5 days ago

> Session cookies are temporary data files stored on a user's device to maintain a user's session on a website or application. They are automatically deleted when the user closes their browser or exits the application, unlike persistent cookies which can store information across sessions.

Most sites do not use session cookies for auth, they use persistent cookies.

Reply View 0 replies