Do I understand correctly and the 400 days clock will not be reset when the site is visited, but only when cookies are set? Does that mean that if existing sites don't try to re-set cookies when ones are set, their users will be logged out after 400 days, even if they visit the site regularly?
On Wed, Apr 6, 2022 at 4:57 PM Ari Chivukula <aric...@chromium.org> wrote: > Contact emails > > aric...@chromium.org, miketa...@chromium.org > > Specification > > > https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-expires-attribute > > Summary > > When cookies are set with an explicit Expires/Max-Age attribute the value > will now be capped to no more than 400 days in the future. Previously, > there was no limit and cookies could expire multiple millennia in the > future. > > > > Blink component > > Internals>Network>Cookies > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ECookies> > > > > Motivation > > The draft of rfc6265bis > <https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-expires-attribute> > now contains an upper limit for Cookie Expires/Max-Age attributes. As > written: > > `The user agent MUST limit the maximum value of the [Max-Age/Expiration] > attribute. The limit MUST NOT be greater than 400 days (34560000 seconds) > in duration. The RECOMMENDED limit is 400 days in duration, but the user > agent MAY adjust the limit to be less. [Max-Age/Expiration] attributes that > are greater than the limit MUST be reduced to the limit.` > > > > 400 days was chosen as a round number close to 13 months in duration. 13 > months was chosen to ensure that sites one visits roughly once a year > (e.g., picking health insurance benefits) will continue to work. > > > > According to measurements in Chrome, of all cookies set, about 20% have an > Expires/Max-Age further than 400 days in the future. Of that 20%: half > target 2 years, a quarter target 10 years or more, and the remainder are > spread over the rest of the range. > > TAG review > > Just an FYI <https://github.com/w3ctag/design-reviews/issues/729> (this > is a small change that has already landed in the draft spec and has support > from other browsers, but we'll send an FYI issue to the TAG). > > Compatibility > > Existing cookies will not expire sooner, but any attempts to update/re-set > them will limit the new expiration date to 400 days at most. > > > Interoperability > > Safari is already partially compliant (it an upper age limit of 7 days > when cookies are set client side but no limit when set by the server), > while Firefox and Chrome both support cookies with expiration dates orders > of magnitude longer than a millenia in the future. > > Gecko: Positive > <https://github.com/mozilla/standards-positions/issues/592> > > WebKit: Positive > <https://lists.webkit.org/pipermail/webkit-dev/2022-January/032096.html> > > Web developers: None Yet, but attempting to gather some > <https://twitter.com/miketaylr/status/1509228889058463749>. > > Debuggability > > Attempts to set cookies with lifetimes past 400 days will be highlighted in > the Issues tab > <https://docs.google.com/document/d/1lDEvj8tMeuvUs1HTTqL-44YiI-7ljeQkusM_WhUfIeE/edit> > . > > Is this feature fully tested by web-platform-tests? > > There’s some > <http://third_party/blink/web_tests/external/wpt/cookie-store/cookieListItem_attributes.https.any.js>, > but more will be added once testdriver.js supports it > <https://github.com/web-platform-tests/rfcs/pull/108>. > > Tracking bug > > https://crbug.com/1264458 > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/4887741241229312 > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGpy5DJdgcDqgJQOq%3DHdvLzMV%2BRupiW7Wqv2swPco%2BQzWtziSQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGpy5DJdgcDqgJQOq%3DHdvLzMV%2BRupiW7Wqv2swPco%2BQzWtziSQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVqmZDH4sk6qu9KU8corhRXbnvqJKOM4DzXEym9Ms_g9g%40mail.gmail.com.
