Let's say you're implementing sessions.
You check whether the browser presents a session cookie. If yes, you authenticate the cookie and find the user that the session is associated with, and move on processing the request.
If you don't find a session cookie, you create a new session and send a cookie to the browser whch you expect to receive on subsequent requests.
Now my question is: if you did find a session cookie in a request, would you resend the same cookie in the response. Under what circumstances is this right?
Note: I ask this as a Pyramid (Python) programmer, because Pyramid implementation sends the session cookie unconditionally on every response. (go to code)
Generally, you don't need to set the cookie on each and every response. The browser already has the cookie and will continue sending it to the server as long as it is still valid.
Specifically, a Pyramid session cookie is set on every request because it contains a signed and timestamped secret that can expire separately from the normal cookie expiration mechanisms. By setting a new cookie each time Pyramid gets to update the embedded timestamp to show the session is still fresh. In other words, the cookie set is a different one each time.