- From: Martin Atkins <mart@degeneration.co.uk>
- Date: Fri, 12 Dec 2008 15:37:29 -0800
Ian Hickson wrote: > On Fri, 12 Dec 2008, Bil Corry wrote: > >> Or maybe it'd be better if non-persistent cookies are removed once the >> user no longer has an open tab to the site, instead of using a >> JavaScript-based solution. > > This could be done now; I recommend bringing this up with browser vendors > as a feature request. > I'm not sure this is as easy as it first appears. For example, consider the following case: * I have a single tab on site1 and I have a session cookie with them. * I navigate from a page on site1 to site2 and site2 replaces site1 in my single tab. * I navigate from site2 back to site1. Have I now lost my session cookie? This scenario is particularly important for technologies that use redirects to exchange data between domains, such as OpenID. Many OpenID implementations (for better or worse) use session cookies to retain state while they do the OpenID transaction, which involves redirecting the user away from your site to a URL on the provider's domain. If implemented exactly as stated, the session cookie would presumably be deleted during the OpenID transaction and the original site will break.
Received on Friday, 12 December 2008 15:37:29 UTC