The good news is sites can continue to use max-age to reset the
expiration 400 days in the future, every time the user visits (assuming
that's desired behavior), for example in JS:
document.cookie = `lol=ok; max-age=${60 * 60 * 24 * 400}`;
We'll work with DevRel to make sure this is properly
LGTM3
I am slightly concerned with cookies used daily unexpectedly
disappearing every 400 days. If there was a way to refresh them when
used, maybe that would make this smoother for web developers, but that
is a followup feature. If the metrics show that it is a common scenario.
/Daniel
On
LGTM2.
I recognize Yoav's concern, and I think it's reasonable, but I'm less
concerned about it than he is. Still, adding the metrics under discussion
here is a good step, and if they cause us to reevaluate the impact, we'll
have plenty of time to do so.
-mike
On Wednesday, April 13, 2022 at
On Tue, Apr 12, 2022 at 9:10 PM Ari Chivukula wrote:
> Deal, but let's call metrics for M103 and the feature in M104.
>
Sure, I should've said N and N+1
> ~ Ari Chivukula (Their/There/They're)
>
>
> On Mon, Apr 11, 2022 at 8:57 PM Yoav Weiss wrote:
>
>> LGTM1 conditional on:
>>
>>-
Deal, but let's call metrics for M103 and the feature in M104.
~ Ari Chivukula (Their/There/They're)
On Mon, Apr 11, 2022 at 8:57 PM Yoav Weiss wrote:
> LGTM1 conditional on:
>
>- Landing the metrics in M102 and the feature in M103
>- Coming back to this thread when the numbers start
LGTM1 conditional on:
- Landing the metrics in M102 and the feature in M103
- Coming back to this thread when the numbers start coming in on the
metrics
- Having a flag in place that'd enable us to disable the feature in case
the numbers indicate that the loss of cookies due to
Here's a design doc for the additional data to be measured:
https://docs.google.com/document/d/1x7_2wVY2gSEfMlvpS4AoQtN5x7fHG_AsQ01V4CkSELI/edit
The target ship date for this thread is now M103, but we're still looking
for LGTMs.
~ Ari Chivukula (Their/There/They're)
On Mon, Apr 11, 2022 at
Since we don't currently store the last date a cookie was updated in chrome
(just the original creation date) we wouldn't be able to get data on how
many cookies would expire due to a lack of timely refreshes by the site (as
opposed to a lack of site visits) for up to 400 days. The problem is that
IIUC from offline conversations, once we start changing the expiration
dates of cookies, we won't have a way to avoid enforcing that expiration
date 400 days from now. So we probably want to get this right and avoid
breakage for sites that don't currently update their cookies every time (as
even
We don't currently, but we know only 20% of cookies set in chrome are over
the limit (and that 20% will continue to work if not updated). We're
planning proactive communication about the change once it's approved since
there's a 400 day window from the change going in until effects are first
felt.
Thanks! It seems like we'd need to tell developers then that they need to
update their cookies on every site visit. I don't know if this is a big
change from what they are already largely doing. Do we have data on that?
On Fri, Apr 8, 2022 at 7:26 PM Ari Chivukula wrote:
> The actual expiration
The actual expiration date written to the cookie store is capped at 400
days for any new/updated cookies.
If a newly logged-in site doesn't refresh its cookies for 400 days after
they are set, the cookies expire and the user will be logged out no matter
how often the user visits the site.
~ Ari
What happens if a newly logged-in site doesn't refresh its cookies on every
visit, the user visits that site every ~months, and 400 days pass?
In other words, when does the 400 days clock get reset: on visit or on
cookie renewal?
On Fri, Apr 8, 2022 at 4:59 PM Ari Chivukula wrote:
> Cookies
Cookies already in storage will not have this new limit imposed, but any
cookies newly set or updated will have it imposed.
If an existing logged-in site isn't visited for 400 days, and it previously
allowed > 400 day retention, the user will still be logged in on the 401st
day.
If an existing
Do I understand correctly and the 400 days clock will not be reset when the
site is visited, but only when cookies are set?
Does that mean that if existing sites don't try to re-set cookies when ones
are set, their users will be logged out after 400 days, even if they visit
the site regularly?
On
Contact emails
aric...@chromium.org, miketa...@chromium.org
Specification
https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-expires-attribute
Summary
When cookies are set with an explicit Expires/Max-Age attribute the value
will now be capped to no more than 400
16 matches
Mail list logo
