What determines the lifetime of a session cookie in an application embedding IE?

Question

In an application that embeds the IE WebBrowser control, what determines the lifetime of a session cookie? It seems that in most cases, a session cookie lives until the process is terminated, but sometimes the cookie is killed when one of the windows with a WebBrowser control is closed while other such windows remain open. Are there relevant settings in the registry?

Answer 1

Do you always have at least one of the Web Browser controls alive? If so, the behavior you describe is a bug. What's the IE version, and are all updates installed?

Session cookies are meant to live for the life of the process, but the way that this is maintained depends on a global counter that is incremented as WebOC instances open and decremented as those WebOCs are destroyed. You can force the counter to zero using the ClearAuthenticationCache ExecCommand from JavaScript (or via the equivalent InternetSetOption from native code), but there's no way to artificially "increment" the counter.

Back in the IE8 timeframe, there were known bugs in the counter, but as far as I know, all of those were since fixed. If you do find yourself needing to preserve a session cookie, you could have native code that periodically checks for the cookie's existence (using InternetGetCookie) and if it's not found, recreate the cookie by calling InternetSetCookie.

Answer 2

The web server does. It gives a cookie an expiration date.

With the option to omit that date. Then it becomes a session cookie, automatically deleted when the browser is closed. Which in the case of an embedded browser means, when you window is closed. Possibly earlier if you dispose the control.