On 22/11/2024 13:26, Marcel Steinbeck wrote:
With Tomcat 11.0.0-M19 and later, Rfc6265CookieProcessor omits the Max-Age attribute during serialization if its value is 0. The change is traced to this commit: d16e846Omitting Max-Age=0 is unexpected because according to RFC-6265 Section 5.2.2: [...] If delta-seconds is less than or equal to zero (0), let expiry-time be the earliest representable date and time. Otherwise, let the expiry-time be the current date and time plus delta-seconds seconds. [...] I am aware that RFC-6265 Section 4.1.1 specifies: max-age-av = "Max-Age=" non-zero-digit *DIGIT where: non-zero-digit = %x31-39 ; digits 1 through 9 However, to my understanding, Section 4.1.1 refers to how user agents should store cookie data
No. Section 4.1.1 defines the rules servers should follow when generating set-cookie headers.
whereas Section 5.2.2 refers to how user agents should process cookie data---this assessment may not be correct, though. Moreover, Max-Age=0 seems to be common practice, e.g., : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#max-agenumber I therefore wonder what the rationale for omitting Max-Age=0 is, and whether this is considered a bug.
No it isn't a bug. Section 4.1.1 is clear that servers SHOULD NOT be using Max-Age=0.
What you are seeing is the result of "Be liberal in what you accept, and conservative in what you send".
Work is underway to further refine the cookie specification. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
