Is there a standard for cookie names used for session IDs?

Mar 01, 2005 21:35:00

Tomcat uses "JSESSION", IIS uses "ASPSESSIONID", etc.

How does a browser know which cookie names to treat as session IDs, i.e. which ones it should send back with subsequent requests?

Mar 02, 2005 08:08:00

The browser doesn't know, nor care, about what version or type of server the pages are being fetched from. The browser will send all cookies it has (for the server) to the server each time a page is fetched. That way the server is guaranteed to get back the cookie it needs to do session management.

As you can see, the session ID cookie name differs for different web servers.

Mar 02, 2005 09:25:00

The browser doesn't know, nor care, about what version or type of server the pages are being fetched from. The browser will send all cookies it has (for the server) to the server each time a page is fetched. That way the server is guaranteed to get back the cookie it needs to do session management.

In IE, at least, there's an option in Privacy->Advanced to "Always allow session cookies". So I thought it must have some criteria built in for recognizing which cookies are session cookies and which aren't. It must also have some method for determining which cookies it should keep around after closing...

See where your hand is? Not there. It's next to this tiny ad:

a bit of art, as a gift, the permaculture playing cards

https://gardener-gift.com