0

I was reading this article and I was wondering, what exactly is a standard session management cookie (SSMC)?

It also recommends that the SSMC should be a session cookie and therefore expire when the browser is closed.

Because it's an 'improved' article, I tried to look for any definition in the original article (here). According to it, a "SSMC handles the credentials for the life of the session, so the newly assigned cookie will not be checked until the next session (at which point it, too, will be invalidated after use)."

What I didn't understand is how long will the user be logged in if the session expires when the browser closes and the session's lifetime credentials are deleted? and how this should be used? There is nothing in the article about the 'normal' cookies (that contain the login information) being session cookies and therefore they should have an expiration date.

I'm really confused so I hope someone can clear it up for me. Any alternatives as secure as this one are also welcomed. Thanks!

Background:

I'm writing a remember me function using cookies. Apparently there are 2 cookies; The first one is the SSMC (standard session management cookie) and the second one is a login cookie which consists of:

  • A username
  • A unique token that's being regenerated every time the user logs in to the site
  • A series id which is a unique random number for a specific username that never changes. These are also stored in a table in the database.
Leigh
  • 12,859
  • 3
  • 39
  • 60
Asaf
  • 2,005
  • 7
  • 37
  • 59
  • 1
    Related reading: http://stackoverflow.com/questions/3128985/php-loginsystem-remember-me – Leigh Jul 04 '12 at 11:17
  • 1
    To answer the question in the title: a session cookie is either a) a cookie that stores information about the user's session, like the session id; or b) a cookie which is only valid for the current "browsing session", i.e. a cookie with an expiration value of `0`, which will be expired when the browser window is closed. The term "session cookie" unfortunately applies to both of these, but often a "session cookie" incorporates both aspects. I have not read the linked article in full to answer your concerns in more details (TL;DR). – deceze Jul 04 '12 at 11:21
  • I think both. But what if the cookie expires, what happens then? A new one should be created? The user is counted as logged off? Basically what I'm asking is, what's the session management cookie's role in the whole system? – Asaf Jul 04 '12 at 11:26
  • Actually... after reading [here](http://onlamp.com/pub/a/php/excerpt/webdbapps_8/index.html?page=2) I found out that basically a session management cookie is created automatically anyways when starting a new session, is it true? How'd you set its expiration then? – Asaf Jul 04 '12 at 11:31

0 Answers0