[webkit-dev] Request for position: Cookie Expires/Max-Age attribute upper limit

Ari Chivukula arichiv at chromium.org
Wed Jan 19 08:12:07 PST 2022


I'd like to get WebKit's position on:
(1) Having an explicit upper limit for Cookie Expires/Max-Age attributes
(2) Having an explicit upper limit for Cookie Expires/Max-Age attributes
that's less than or equal to 400 days

https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-expires-attribute-2
https://github.com/httpwg/http-extensions/pull/1732
https://github.com/mozilla/standards-positions/issues/592
https://bugs.chromium.org/p/chromium/issues/detail?id=1264458

The draft of rfc6265bis now contains an upper limit for Cookie
Expires/Max-Age attributes. As written:
`The user agent MUST limit the maximum value of the [Max-Age/Expiration]
attribute. The limit MUST NOT be greater than 400 days (34560000 seconds)
in duration. The RECOMMENDED limit is 400 days in duration, but the user
agent MAY adjust the limit to be less. [Max-Age/Expiration] attributes that
are greater than the limit MUST be reduced to the limit.`

400 days was chosen as a round number close to 13 months in duration. 13
months was chosen to ensure that sites one visits roughly once a year
(e.g., picking health insurance benefits) will continue to work.

Safari is already partially compliant (has an upper age limit of 7 days
when cookies are set  client side), while Firefox and Chrome both support
cookies with expiration dates orders of magnitude longer than a millenia in
the future.

According to measurements in Chrome of all cookies set about 20% have an
Expires/Max-Age further than 400 days in the future. Of that 20%: half
target 2 years, a quarter target 10 years or more, and the remainder are
spread over the rest of the range.

~ Ari Chivukula (Their/There/They're)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20220119/56ad134e/attachment.htm>


More information about the webkit-dev mailing list