Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to Software Development on Codidact!

Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.

Comments on Separation of password cookies from all other types of cookies

Post

Separation of password cookies from all other types of cookies

+1
−3

When I clear my Google Chrome browser history I can clear both "Cookies and other site data" AND "passwords and other sign-in data".

  • Clearing just one of the two would require me to re-login to any website I already had a logged in account on.

  • It is interesting to note that in Microsoft Edge browser a more modular approach was taken and there it's just "Passwords" (instead "Passwords and other sign-in data") AND "Cookies and other site data", though the behavior is pretty much the same

From both a modular software development standpoint and an information security standpoint, separating passwords and their cookies from all other cookies would make easier life for users who want to generally clear cookies frequently but still keeping their websites accounts logged in.

Why aren't web browser developers separate the two?
(perhaps a separation to "cakes" and "cookies" is a good one, were any "cake" is actually any "password cookie" and any "cookie" is "of all the rest").

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.
Why should this post be closed?

1 comment thread

General comments (8 comments)
General comments
Lundin‭ wrote over 3 years ago

What's the question? Is there a software development problem you are trying to solve? Are you designing a web browser? Are you reverse-engineering one?

Moshi‭ wrote over 3 years ago

The question begging to be asked is "how?" There isn't, afaik, a standard for "password cookies" (which is a terrible name to refer to the session cookies that I assume you mean).

deleted user wrote over 3 years ago

I mainly try to understand if cookies as we know them are obligatory for keeping a user account logged in to a website and that if there is a movement / trend to separate cookies from passwords (in a way similar to the one I have described).

deleted user wrote over 3 years ago

Anyway, I have tried to edit the question to focus it more on standards and trying to understand the current development trend.

elgonzo‭ wrote over 3 years ago

"Why aren't web browser developers separate the two?" Wheter some cookie or some other (small) piece of data is representing an (active) session is known and decided only by the web server, not the web browser. The concept of a "session" does not exist in the browser software. It merely exist server-side in the backend software running a web site. (1/2)

elgonzo‭ wrote over 3 years ago · edited over 3 years ago

(2/2) Keep in mind, cookies are NOT used by a web browser to organize data (beyond managing the ownership/origin constraints and expiry dates of the cookies, of course). Cookies are used by web sites (not browsers!) to store whatever(!!!) pieces of information the web site wants to store client-side. Thus, your question misses the mark. It's not the browser doing something with or knowing about the meaning/purpose of cookies, it's the respective web sites doing something/whatever with cookies...

hkotsubo‭ wrote over 3 years ago

I guess "passwords and other data" refer to the passwords themselves saved in your browser config (so it offers an option to auto-fill login forms). After you login, each website might set a cookie with your token/credential info, but Chrome has no way to know which cookies are related to authentication or any-other-stuff-the-website-wants-to-set-cookies-for (websites setting lots of different cookies for whatever reasons it's a very common "practice").

elgonzo‭ wrote over 3 years ago

I have to clarify a statement in my 1st comment. Of course browsers do have concepts of different sessions (browser session, page session, etc.), but which are different from the concept of "web site login sessions" we are talking about here. So, the respective sentence in my 1st comment should have rather been: The concept of a "web site login session" does not exist in the browser software. Hope this helps clearing up any possible confusion my unclear communication might have caused... :)