How is the Cookie Expiration date calculated? (max-age)

About

The expiration date is a calculated field that defines the validity of a cookie in time.

Validity

It is defined by the user agent (ie browser) via the following cookie properties:

Session

When no properties is set, the default value is Session as seen in the below devtool > application > cookie snapshoot.

The user agent will retain the cookie until the current session is over

Cookie Expiration

A Session is defined in the specification as the time that the user agent (ie browser) is open. (ie if you restart your browser, the current session should be deleted), but most of the browser makes it dependent on their startup option. Most of them are set to continue where you left which means that the session is not destroyed even in the case of a restart.

Example with chrome

Chrome On Startup Continue

Multiple Session

If the server wishes the user agent to persist the cookie over multiple sessions, the server should set at minimal one of this property:

If a cookie has both the max-age and the expires attribute, the Max-Age attribute has precedence and controls the expiration date of the cookie.

expires

Below is an expires example with a set-cookie header of a response that send a cookie:

  • named lang
  • a value of en-US
  • and an expires value of Wed, 09 Jun 2021 10:18:14 GMT
Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT

An expires with a date in the past will remove the cookie.

max-Age

The Max-Age attribute indicates the maximum lifetime of the cookie, represented as the number of seconds until the cookie expires.





Discover More
Cookie Devtool
How to manage Cookies in the Browser via Javascript?

This article is HTTP cookies management in the client side (browser) via javascript. Cookie are one way to store data in the browser. document.cookie is a property of the browser document that returns...
Chrome Cookies
What is a Cookie? (HTTP Set-Cookie Header )

A cookie is: a key-value data with some associated that control how the browser should manage them. set by a HTTP response via the set-cookie header The received cookies by the browser can be...



Share this page:
Follow us:
Task Runner