I came across an interesting problem the other day, a session cookie set on an iPhone was not getting expired correctly. My first instinct was that it was a bug in our code. Checked it. Nope. Pretty perfect code.
Second guess was that it was an bug on the iPhone.
But looking into it a little deeper, the issue was more with the behaviour of the iPhone and how it handles it's browser. Typically when you close Safari, it actually does not close the app. It just minimizes it... So the browser is still alive!
According to the definition of a "Session cookie":
A session cookie only lasts for the duration of users using the website. A web browser normally deletes session cookies when it quits. A session cookie is created when no Expires directive is provided when the cookie is created.
So if the browser never quits, will the cookie be deleted? The answer is NO!
If the user restarts his/her iPhone, only then will the cookie be deleted.
This problem, though caught on an iPhone, seems to be applicable to other browsers as well. I know individuals who do not restart their desktops/laptops/mobile phones for extended period of times. This can be from two weeks to two months. Invariably, restarts do happen due to OS and device upgrades. The browsers on these devices typically share the same uptime as their hosts. So do Session Cookies work on these browsers as intended by the developer? My guess is not always. It depends on the functionality which the developer has used the Session Cookie for.
For example, if a developer uses a Session Cookie to remember a user's choice of A or B every time s/he visits the website the first time. Now if the functionality of switching between A or B is not available later on and relies only on the Session cookie, you would have an issue on an iPhone which has not been restarted.
There are a couple of solutions:
1. Provide the user the functionality of switching between A and B later on and not totally rely only on the Session Cookie
2. Stop using Session Cookies. Set a sliding expiration on a cookie. This could be typically the Server Session Time-out value.
Ultimately you would need to be aware of this situation and come up with a solution which is in line with the functionality provided to the end-user.
This article was originally written on Google's Blogger platform and ported to Hashnode on 17 Sep 2022.