Cookie Expires/Max-Age attribute upper limit

Feature: Cookie Expires/Max-Age attribute upper limit

When cookies are set with an explicit Expires/Max-Age attribute the value will now be capped to no more than 400 days in the future. Previously, there was no limit and cookies could expire as much as multiple millennia in the future.

Motivation

The draft of rfc6265bis now contains an upper limit for Cookie Expires/Max-Age attributes. As written: `The user agent MUST limit the maximum value of the [Max-Age/Expiration] attribute. The limit MUST NOT be greater than 400 days (34560000 seconds) in duration. The RECOMMENDED limit is 400 days in duration, but the user agent MAY adjust the limit to be less. [Max-Age/Expiration] attributes that are greater than the limit MUST be reduced to the limit.` 400 days was chosen as a round number close to 13 months in duration. 13 months was chosen to ensure that sites one visits roughly once a year (e.g., picking health insurance benefits) will continue to work. According to measurements in Chrome, of all cookies set, about 20% have an Expires/Max-Age further than 400 days in the future. Of that 20%: half target 2 years, a quarter target 10 years or more, and the remainder are spread over the rest of the range.

Specification

Specification link

Status: Specification being incubated in a Community Group

Status in Chromium

Blink components: Blink>Storage>CookiesAPI

Implementation status: In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Positive
Safari: Positive
Web Developers: No signals

Owner

arichiv@chromium.org

Intent to Prototype url

Intent to Prototype thread

Last updated on 2022-05-05