Cookie - Expiration


The expiration date is a calculated field that define the of validity of a cookie in time.


It is defined by the user agent (ie browser) via the following cookie properties:


When no properties is set, the default value is Session as seen in the below devtool > application > cookie snapshoot.

The user agent will retain the cookie until the current session is over

A Session is defined in the specification as the time that the user agent (ie browser) is open. (ie if you restart your browser, the current session should be deleted), but most of the browser makes it dependent on their startup option. Most of them are set to continue where you left which means that the session is not destroyed even in the case of a restart.

Example with chrome

Multiple Session

If the server wishes the user agent to persist the cookie over multiple sessions, the server should set at minimal one of this property:

If a cookie has both the Max-Age and the Expires attribute, the Max-Age attribute has precedence and controls the expiration date of the cookie.


Below is an expires example with a set-cookie header of a response that send a cookie:

  • named lang
  • a value of en-US
  • and an expires value of Wed, 09 Jun 2021 10:18:14 GMT
Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT

An expires with a date in the past will remove the cookie.


The Max-Age attribute indicates the maximum lifetime of the cookie, represented as the number of seconds until the cookie expires.

Powered by ComboStrap