When are session cookies deleted by the browser?

Question

If I set a cookie as a session cookie (no expires/max-age value), when does the browser remove the cookie?

I know that it is removed when the browser is closed but I'd like to know if there is ever a case where a session cookie can timeout or expire before the browser is closed.

score 13 · Accepted Answer · edited Dec 03 '22 at 22:14

13

To quote RFC 6265:

If a cookie has neither the Max-Age nor the Expires attribute, the user agent will retain the cookie until "the current session is over" (as defined by the user agent).

And:

The user agent is not required to retain the cookie for the specified duration. In fact, user agents often evict cookies due to memory pressure or privacy concerns.

So: your mileage may vary.

edited Dec 03 '22 at 22:14

Mark Amery

143,130
81
406
459

answered Jan 29 '14 at 15:08

CodeCaster

147,647
23
218
272

Do the browser will physically remove the cookie, when they expire? – Murali Murugesan Jan 29 '14 at 15:35
@murali what is "physically remove"? It depends entirely on the browser implementation. A browser may very well choose to save "session cookies" only in memory, for example. – CodeCaster Jan 29 '14 at 16:00
I meant, will the browser delete it after expiry or it will leave as it is? – Murali Murugesan Jan 29 '14 at 16:12
@Murali, I'm sorry, I don't understand what you mean. – CodeCaster Jan 29 '14 at 18:18
When cookie is marked invalid by the server, is cookie automatically deleted? – Denny Kurniawan Sep 29 '21 at 19:31

When are session cookies deleted by the browser?

1 Answers1