QUOTE(Random832 @ Mon 23rd November 2009, 8:12pm)
QUOTE(dogbiscuit @ Mon 23rd November 2009, 7:12pm)
A cookie is just a header that is downloaded and stored. When the browser sees a cookie that matches a site domain, it automatically sends the cookie back as part of the request in brain dead fashion. At the point the cookie expiration date expires, it is no longer sent back and so the site no longer has the login information (unless it also is tracking by session and decides that it is not interested in cookies while the session is current).
Um, with the cookie gone, the site also no longer has the
session, unless it's done something like a url parameter (which is normally only done if a browser does not support cookies at all)
The session cookie would be distinct from a cookie of login info, and the session normally is killed off when you shut down the browser, again by appropriate setting of the cookie. Session variables are stored on the server, essentially indexed by the session id, whereas the login info needs to be kept on the client computer to survive across sessions.
I'm sure we are not disagreeing, the point is that it is old hat to come up with a fairly robust scheme of timing out sessions, either using server tricks, client tricks or a combination of the two, normally the latter.