[blink-dev] Intent to Prototype: Cookie Expires/Max-Age attribute upper limit

312 views
Skip to first unread message

Ari Chivukula

unread,
Mar 14, 2022, 6:01:50 PM3/14/22
to blink-dev, Jade Kessler, Mike Taylor

Contact emails

ari...@chromium.org, jadek...@chromium.org, mike...@chromium.org


Specification

https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-expires-attribute


Summary

When cookies are set with an explicit Expires/Max-Age attribute the value will now be capped to no more than 400 days in the future. Previously, there was no limit and cookies could expire multiple millennia in the future.

 

Blink component

Blink>Storage>CookiesAPI

 

Motivation

The draft of rfc6265bis now contains an upper limit for Cookie Expires/Max-Age attributes. As written:

`The user agent MUST limit the maximum value of the [Max-Age/Expiration] attribute. The limit MUST NOT be greater than 400 days (34560000 seconds) in duration. The RECOMMENDED limit is 400 days in duration, but the user agent MAY adjust the limit to be less. [Max-Age/Expiration] attributes that are greater than the limit MUST be reduced to the limit.`

 

400 days was chosen as a round number close to 13 months in duration. 13 months was chosen to ensure that sites one visits roughly once a year (e.g., picking health insurance benefits) will continue to work.

 

According to measurements in Chrome, of all cookies set, about 20% have an Expires/Max-Age further than 400 days in the future. Of that 20%: half target 2 years, a quarter target 10 years or more, and the remainder are spread over the rest of the range.


TAG review

N/A


Compatibility

Safari is already partially compliant (has an upper age limit of 7 days when cookies are set client side), while Firefox and Chrome both support cookies with expiration dates orders of magnitude longer than a millenia in the future.


Existing cookies will not expire sooner, but any attempts to update/re-set them will limit the new expiration date to 400 days at most.

 

Interoperability

Gecko: Positive

WebKit: Positive

Web developers: None Yet


Debuggability

Attempts to set cookies with lifetimes past 400 days will be highlighted in the Issues tab.


Is this feature fully tested by web-platform-tests?

No, but that would be added


Tracking bug

https://crbug.com/1264458


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/4887741241229312


Reply all
Reply to author
Forward
0 new messages