I say until you log out, session times out or you close the browse开发者_StackOverflow社区r. But am I right?
I had an interview today and the interviewer wanted to know if I log into a page and closes the browser (without logging off), what happens to the session.
I said that the session will be orphaned. He says no - because their users are able to connect back to the session by just opening up the browser (using a cookie only). I told him that's a persistent cookie - not a session cookie. And I said that if that's the cause, there is nothing preventing the user from exporting the [persistent] cookie to a another computer and starting the session on that computer.
At first he said you can't export a cookie but when I explained how, he said that he'll look but since many many people including 2 architects came up with the design, it is unlikely they are all wrong.
A session cookie is a cookie without an expiration time.
Handling of session cookies varies by browser and by browser version, but generally cookies that have no expiration date are deleted when the last instance of that browser is closed (lifetime=runtime of the browser).
Importantly, the server-side session that corresponds to the cookie value has a completely independent lifetime that is defined on the server. HTTP is a connectionless protocol, so when your browser isn't in the middle of a transaction, the server side has no idea whether you're still there or not. Tomcat issues unique, fixed-length cookies named JSESSIONID that they link to stored session data on the server. In that case the session expiration time is stored on the server. ASP base64 encodes all the session info, encrypts it, and writes it to giant cookies in your browser so it doesn't have to store that session data on the server. The session expiration time is saved inside the encrypted data stored in the cookie. Either way there's a record of when the session should expire, so session lifetime can't exceed the server side timeout.
You can set the same cookies in another browser and send the same data (mostly cookies) that the first browser would have sent, and as long as the server timeout hasn't been reached, the server will let you access the server-side session the same way. When people do this to your cookies, it's called a session hijack.
Here's JavaScript code adding a "session" cookie, which is just a cookie where no "Expires" value has been set.
document.cookie="COOKIENAME=cookievalue";
Here's JavaScript that adds a cookie with a specific expiration time, meaning that the browser is instructed to stop sending it with outgoing requests after that time:
document.cookie="COOKIENAME=cookievalue; expires=Fri, 31 Dec 9999 00:00:01 GMT";
The cookie data sent to the server does not include metadata like expiration time; the server only sees the key=value pairs. Expiration data is only for the browser to read. Setting a cookie with either of the above methods will cause the browser to send that cookie to the server this way:
Cookie: COOKIENAME=cookievalue
The server initially sets the cookie with or without an expiration date, but it has no idea whether that has been changed, and it doesn't really care. There's no functional difference between a cookie set to expire next month and a session cookie on a computer that stays on with the browser running until next month.
You are absolutely right. Session cookies are deleted when the browser closes and persistent cookies are deleted when their expiration time is up. Their website must use persistent cookies if the sessions stays alive after the browser closes. All cookies can be exported to another computer. This is a well known security vulnerability that is mitigated by using SSL.
There isn't a clear definition of "session" in web applications. A web site may decide to use either persistent cookies or session cookies to look up a session context on subsequent requests (or maybe something besides cookies). If the session lookup is done through a session cookie, then what you said about the session being orphaned (on the server, not accessible by a client) is correct.
However, "when you close the browser" is ambiguous. If you have two instances of Internet Explorer open, for example, both windows may be keeping a session cookie alive. Therefore, closing "the browser" that the web site page is displayed in won't necessarily clear the cookie.
Not sure if it's the same as ASP, but I know that in PHP it's 20 minutes
精彩评论