Cookies without fixed lifetimes or expiration dates are known as non-persistent, or "session" cookies, meaning they last only as long as the browser session, and poof away when the browser closes. Cookies with expiration dates, "persistent" cookies, are stored/persisted until those dates.


Non-persistent cookies should be used for the management of logged-in sessions on web sites. To make a cookie non-persistent, simply omit the ``++expires++`` attribute.


This rule raises an issue when ``++expires++`` is set for a session cookie, either programmatically or via configuration, such as ``++session.cookie_lifetime++``.

== See

* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
* https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#expire-and-max-age-attributes[OWASP, Session Management Cheat Sheet] - Expire and Max-Age Attributes
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#COOKIE_PERSISTENT[COOKIE_PERSISTENT]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]