About
The expiration date is a calculated field that defines the validity of a cookie in time.
Validity
It is defined by the user agent (ie browser) via the following cookie properties:
Session
When no properties is set, the default value is Session as seen in the below devtool > application > cookie snapshoot.
The user agent will retain the cookie until the current session is over
A Session is defined in the specification as the time that the user agent (ie browser) is open. (ie if you restart your browser, the current session should be deleted), but most of the browser makes it dependent on their startup option. Most of them are set to continue where you left which means that the session is not destroyed even in the case of a restart.
Example with chrome
Multiple Session
If the server wishes the user agent to persist the cookie over multiple sessions, the server should set at minimal one of this property:
If a cookie has both the max-age and the expires attribute, the Max-Age attribute has precedence and controls the expiration date of the cookie.
expires
Below is an expires example with a set-cookie header of a response that send a cookie:
- named lang
- a value of en-US
- and an expires value of Wed, 09 Jun 2021 10:18:14 GMT
Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT
An expires with a date in the past will remove the cookie.
max-Age
The Max-Age attribute indicates the maximum lifetime of the cookie, represented as the number of seconds until the cookie expires.