It's not the cookie that's expiring, per se, but the server side
information that corresponds to the cookie. Indeed the fact that
the site could tell you that the session had expired indicates that
the cookie itself did not expire.
As to why they must/should expire, remember that system resources
are consumed by every session that is created. These system resources
might be rows in a database table or files in a file system or whatever
means the site designers are using to implement sessioning. Sessions
that have been inactive for some period are usually garbage collected
on the server side. The expiration time for a session is up to the
site designer and is usually a function of how busy the site is expected
to be and the amount of system resources available for session info.
Of course, in sites where all the session information is contained
in the cookie itself, this is not an issue, but on many sites the
amount of information that is needed to be stored on a per-session
basis is a bit large for a cookie.
-Paul
-----Original Message-----
From: Philip Mak [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 2:14 PM
To: [EMAIL PROTECTED]
Subject: Should cookies expire?
I have a general question about websites that use cookies to store session
information:
Why should they expire at all?
Let me give you an example. Yesterday, I was at Amtrak Rail's website to
purchase train tickets. Now, I multitask a lot, and sometimes I might
leave one browser window idle while I go to do something else.
So I'm browsing the possible rides I can get on, then I do something else
for half an hour. I go back to the browser window with Amtrak, and then
when I click something it tells me that my session has expired and I'll
have to login again!
Gritting my teeth, I login again and start the process over. This time I
finish the reservation and minimize the window.
Later that night, I want to check my reservation again. I maximize that
window and click something ... oops, session expired again!
I realize that in a computer lab environment, automatic session expiration
may be needed for security purposes, but I think in the situation
mentioned above, it was excessive.
What do people think about this?
-Philip Mak ([EMAIL PROTECTED])
