Cookie expiration

[roryhewitt]

Your new spec and the original RFC 6265 both specify that the correct way for a server to delete a cookie on the client is to send a Set-Cookie response header with the cookie name and an Expires value in the past. From your document (Section 4.1.2 - Semantics - Non-Normative)):

"[...] Notice that servers can delete cookies by sending the user agent a new cookie with an Expires attribute with a value in the past."

This mechanism is also spelled out in Section 3.1 - Examples.

Can I suggest that the cookie deletion/removal (not sure of which term is preferred) mechanism is 'officially' specified in a 4.1.* section, rather than being relegated to a line within a paragraph in a 'non-normative' section?

Also there are plenty of instances where developers attempt to delete/remove a cookie by sending a Set-Cookie header with a date in the past, but the date is incorrectly formatted, resulting in the cookie not being deleted. While this is normally fixed quickly, since it's pretty easy for a developer to tell whether the cookie has been deleted on the user-agent, perhaps a 'standard' date could be suggested and documented in this section, e.g. some wording along the lines of the following:

To delete a cookie, it is suggested that servers send a Set-Cookie header with the following Expires attribute:

Expires=Sun, 06 Nov 1994 08:49:37 GMT

Using this common date to remove client cookies can make it easier to track cookie removal functionality in your own codebase.

[johannhof]

It's probably a good idea to improve our documentation of how to clear cookies, I agree. cc @annevk @sbingler

I should also mention @yoavweiss's efforts to introduce a new Delete-Cookie mechanism for the future, see w3c/webappsec-clear-site-data#82 and https://lists.w3.org/Archives/Public/ietf-http-wg/2024OctDec/0147.html

However, due to the backwards-facing nature of these kinds of features improved documentation probably still makes sense.

[roryhewitt]

Frankly, even without @yoavweiss's explicit Delete-Cookie response header, I'd like to see the main cookie spec, and therefore UA's that follow it, allow the use of Expires=0 as a valid means to expire/remove a cookie. Some UA's probably do this already...

[sbingler]

Can I suggest that the cookie deletion/removal (not sure of which term is preferred) mechanism is 'officially' specified in a 4.1.* section, rather than being relegated to a line within a paragraph in a 'non-normative' section?

That seems like a good idea to me.

allow the use of Expires=0 as a valid means to expire/remove a cookie.

Max-Age=0 will immediately expire the cookie. I think any new text on cookie deletion should primarily use max-age given its ease of use.

The Max-Age section warns that not all user agents support it, but that's almost certainly out of date and should be updated after confirmation.

[roryhewitt]

I'm more than willing to fork and add the separate section on cookie deletion and create a PR, but it's your document - I don't want to tread on your toes.

[johannhof]

Please feel free to submit PRs to this document! Note that it's not officially adopted by the HTTPWG yet.

[annevk]

Do we have tests for Expires=0 and Max-Age=0?

[sbingler]

Max-Age=0 is tested by Expire later cookie with same name and max-age=0

Expires=0 is an invalid date and should be ignored by the UA. I don't see a WPT for invalid Expires values but Chrome tests its implementation.

[roryhewitt]

@sbingler clearly Expires=0 is invalid, but I was under the impression that some UAs treated it as an expiration request and deleted the cookie rather than discarding the header. Similar to how some UAs/servers allow the use of Referrer rather than Referer - it's invalid, but it's clear what the user is trying to do.

Mind you, last time I checked was probably with IE6, so...