== Why is this an issue?

Cookies without fixed lifetimes or expiration dates are known as non-persistent, or "session" cookies, meaning they last only as long as the browser session, and poof away when the browser closes. Cookies with expiration dates, "persistent" cookies, are stored/persisted until those dates.


Non-persistent cookies should be used for the management of logged-in sessions on web sites. To make a cookie non-persistent, simply omit the ``++expires++`` attribute.


This rule raises an issue when ``++expires++`` is set for a session cookie, either programmatically or via configuration, such as ``++session.cookie_lifetime++``.

== Resources

* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
* https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#expire-and-max-age-attributes[OWASP, Session Management Cheat Sheet] - Expire and Max-Age Attributes
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#COOKIE_PERSISTENT[COOKIE_PERSISTENT]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* Pass "0" as first argument.
* Configure "session.cookie_lifetime" to 0.


'''
== Comments And Links
(visible only on this page)

=== on 1 Sep 2015, 08:00:50 Linda Martin wrote:
LGTM!

=== on 15 Sep 2015, 21:15:49 Evgeny Mandrikov wrote:
IMO from an implementation point of view this RSPEC is underspecified, so removing targeting for ``{cpp}`` for now.

endif::env-github,rspecator-view[]