The HTTP working group has identified that any browser that doesn't have other, bigger, compatibility issues supports Max-Age.
Further, RFC 6265bis has been updated to allow Max-Age=0.
Given this I would like to propose the following changes:
- update the Cookie Javadoc to state that for
maxAge >=0, Max-Age shall always be sent and an equivalent Expires may be sent
- update the Cookie Javadoc to state that for
maxAge <0, neither Max-Age nor expires shall be sent
- update the TCK to require
Max-Age (and to check there is no Expires where none is expected)
Given that RFC 6265 is still in development, do we want to make these changes in Servlet 6.2? They would be strictly in breach of the current RFC 6265 (server should not send Max-Age=0) but the more relaxed client requirements in RFC 6265 do allow Max-Age=0.
The HTTP working group has identified that any browser that doesn't have other, bigger, compatibility issues supports
Max-Age.Further, RFC 6265bis has been updated to allow
Max-Age=0.Given this I would like to propose the following changes:
maxAge >=0,Max-Ageshall always be sent and an equivalentExpiresmay be sentmaxAge <0, neitherMax-Agenor expires shall be sentMax-Age(and to check there is no Expires where none is expected)Given that RFC 6265 is still in development, do we want to make these changes in Servlet 6.2? They would be strictly in breach of the current RFC 6265 (server should not send
Max-Age=0) but the more relaxed client requirements in RFC 6265 do allowMax-Age=0.