Clear captcha cookie (PHPSESSID) [Research]

Possible security issue: if captcha cookie is persistent, could be found on users machine. Can we change it to session only cookie?

The CAPTCHA code uses the built-in PHP session management facility (start_session(), and so on). No explicit cookie parameters are set. The documentation for cookie lifetime suggests the default is 0, or no expiry date which means the cookie is not persistent and is cleared when the browser closes: http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime

To reproduce this issue, I browsed to a Guest Browsing link. I used Firefox with the View Cookies extension. I observed the P cookie and once I browsed to the create account page with the CAPTCHA, I also observed the PHPSESSID cookie. The View Cookies extension reported both cookies as expires-in-session, i.e. not persistent. I restarted the browser and returned to the Guest Browsing link. On the Terms of Service landing page, I observed that there were no cookies for the domain.

It seems that the CAPTCHA cookie is not persistent and there's no bug here -- or not enough information to reproduce.

More info:

Unlike the P cookie, the PHPSESSID cookie isn't cleared when the user logs out of Psiphon. It is cleared when the browser is closed.

We could clear the PHPSESSID cookie like we do the P cookie by resetting it with a pre-expired expiry date. See: http://www.php.net/manual/en/function.session-destroy.php

Open question: is this a security issue? What are our design requirements for leaving no trace of using Psiphon after logged out, after close browser, etc. To properly address this, first we need a design target; then we need to consider all aspects (e.g., what's in the broweser cache). Maybe we shouldn't be re-inventing Private Browsing browser modes.