With Tomcat 11.0.0-M19 and later, Rfc6265CookieProcessor omits the Max-Age
attribute during serialization if its value is 0. The change is traced to this
commit: d16e846
Omitting Max-Age=0 is unexpected because according to RFC-6265 Section 5.2.2:
[...]
If delta-seconds is less than or equal to zero (0), let expiry-time be
the earliest representable date and time. Otherwise, let the
expiry-time be the current date and time plus delta-seconds seconds.
[...]
I am aware that RFC-6265 Section 4.1.1 specifies:
max-age-av = "Max-Age=" non-zero-digit *DIGIT
where:
non-zero-digit = %x31-39
; digits 1 through 9
However, to my understanding, Section 4.1.1 refers to how user agents should
store cookie data whereas Section 5.2.2 refers to how user agents should
process cookie data---this assessment may not be correct, though. Moreover,
Max-Age=0 seems to be common practice, e.g., :
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#max-agenumber
I therefore wonder what the rationale for omitting Max-Age=0 is, and whether
this is considered a bug.
Regards,
Marcel Steinbeck
