-
-
Notifications
You must be signed in to change notification settings - Fork 16.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
res.cookie does not allow setting Max-Age only, without Expires (One should be able to set maxAge alone, with expires: 0) #5150
Comments
The RFC6265 - section 4.1.2.2 describes the following behavior:
Therefore in the usecase that you described, your proposed solution won't make a difference except the used "user agent"/browser is not implementing RFC6265 properly. |
Hi @tjarbo that is correct, user agents that support |
Hi @dougwilson, wow - I really had to go far back in history to find a well-known specification which describes So @nbkhope, I also do not see an issue with the current behavior of express. As dougwilson said, maybe an explanation of your use-case could help. |
Hi @tjarbo there are many other user agents then web browsers. And many still ezist today that never kept up with the changes in specs. It was added to express in reponse to users have issues is all. As for web browsers, I believe Internet Explorer never supported max-age until IE8, well after Netscape stopped being relevant. And I wouldn't say express objective is to support every web browser in existence or anything. In this case it just seemed like people where reporting an issue, and adding expires fixed it and we didn't see any harm, as all modern clients just ignore it and use max age (and even thenusing expires would have the same result as long as the two clocks are not out of sync). |
I want to set a cookie with
Max-Age
only, without havingExpires
. But the following lines 875-876 keep adding the unwantedExpires
:express/lib/response.js
Lines 871 to 878 in 0debedf
Setting
expires: 0
does no good to override that behavior.I think one should be allowed to only set Max-Age without automatically having Expires also set.
Actual result:
Desired result:
Workaround
The workaround for this is our having to manually write the
Set-Cookie
statement, possibly mimicking the same logic in the express code.Possible solution
The text was updated successfully, but these errors were encountered: