Thanks! It seems like we'd need to tell developers then that they need to update their cookies on every site visit. I don't know if this is a big change from what they are already largely doing. Do we have data on that?
On Fri, Apr 8, 2022 at 7:26 PM Ari Chivukula <aric...@chromium.org> wrote: > The actual expiration date written to the cookie store is capped at 400 > days for any new/updated cookies. > > If a newly logged-in site doesn't refresh its cookies for 400 days after > they are set, the cookies expire and the user will be logged out no matter > how often the user visits the site. > > ~ Ari Chivukula (Their/There/They're) > > > On Fri, Apr 8, 2022 at 8:57 AM Yoav Weiss <yoavwe...@chromium.org> wrote: > >> What happens if a newly logged-in site doesn't refresh its cookies on >> every visit, the user visits that site every ~months, and 400 days pass? >> In other words, when does the 400 days clock get reset: on visit or on >> cookie renewal? >> >> On Fri, Apr 8, 2022 at 4:59 PM Ari Chivukula <aric...@chromium.org> >> wrote: >> >>> Cookies already in storage will not have this new limit imposed, but any >>> cookies newly set or updated will have it imposed. >>> >>> If an existing logged-in site isn't visited for 400 days, and it >>> previously allowed > 400 day retention, the user will still be logged in on >>> the 401st day. >>> >>> If an existing logged-in site newly updates its login cookies and then >>> isn't visited for 400 days, the login cookies will expire after 400 days of >>> inactivity. >>> >>> Any newly logged-in site will have the 400 day limit imposed. >>> >>> ~ Ari Chivukula (Their/There/They're) >>> >>> >>> On Fri, Apr 8, 2022 at 12:14 AM Yoav Weiss <yoavwe...@chromium.org> >>> wrote: >>> >>>> Do I understand correctly and the 400 days clock will not be reset when >>>> the site is visited, but only when cookies are set? >>>> Does that mean that if existing sites don't try to re-set cookies when >>>> ones are set, their users will be logged out after 400 days, even if they >>>> visit the site regularly? >>>> >>>> On Wed, Apr 6, 2022 at 4:57 PM Ari Chivukula <aric...@chromium.org> >>>> wrote: >>>> >>>>> Contact emails >>>>> >>>>> aric...@chromium.org, miketa...@chromium.org >>>>> >>>>> Specification >>>>> >>>>> >>>>> https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-expires-attribute >>>>> >>>>> Summary >>>>> >>>>> When cookies are set with an explicit Expires/Max-Age attribute the >>>>> value will now be capped to no more than 400 days in the future. >>>>> Previously, there was no limit and cookies could expire multiple millennia >>>>> in the future. >>>>> >>>>> >>>>> >>>>> Blink component >>>>> >>>>> Internals>Network>Cookies >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ECookies> >>>>> >>>>> >>>>> >>>>> Motivation >>>>> >>>>> The draft of rfc6265bis >>>>> <https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-expires-attribute> >>>>> now contains an upper limit for Cookie Expires/Max-Age attributes. As >>>>> written: >>>>> >>>>> `The user agent MUST limit the maximum value of the >>>>> [Max-Age/Expiration] attribute. The limit MUST NOT be greater than 400 >>>>> days >>>>> (34560000 seconds) in duration. The RECOMMENDED limit is 400 days in >>>>> duration, but the user agent MAY adjust the limit to be less. >>>>> [Max-Age/Expiration] attributes that are greater than the limit MUST be >>>>> reduced to the limit.` >>>>> >>>>> >>>>> >>>>> 400 days was chosen as a round number close to 13 months in duration. >>>>> 13 months was chosen to ensure that sites one visits roughly once a year >>>>> (e.g., picking health insurance benefits) will continue to work. >>>>> >>>>> >>>>> >>>>> According to measurements in Chrome, of all cookies set, about 20% >>>>> have an Expires/Max-Age further than 400 days in the future. Of that 20%: >>>>> half target 2 years, a quarter target 10 years or more, and the remainder >>>>> are spread over the rest of the range. >>>>> >>>>> TAG review >>>>> >>>>> Just an FYI <https://github.com/w3ctag/design-reviews/issues/729> >>>>> (this is a small change that has already landed in the draft spec and has >>>>> support from other browsers, but we'll send an FYI issue to the TAG). >>>>> >>>>> Compatibility >>>>> >>>>> Existing cookies will not expire sooner, but any attempts to >>>>> update/re-set them will limit the new expiration date to 400 days at most. >>>>> >>>>> >>>>> Interoperability >>>>> >>>>> Safari is already partially compliant (it an upper age limit of 7 days >>>>> when cookies are set client side but no limit when set by the server), >>>>> while Firefox and Chrome both support cookies with expiration dates orders >>>>> of magnitude longer than a millenia in the future. >>>>> >>>>> Gecko: Positive >>>>> <https://github.com/mozilla/standards-positions/issues/592> >>>>> >>>>> WebKit: Positive >>>>> <https://lists.webkit.org/pipermail/webkit-dev/2022-January/032096.html> >>>>> >>>>> Web developers: None Yet, but attempting to gather some >>>>> <https://twitter.com/miketaylr/status/1509228889058463749>. >>>>> >>>>> Debuggability >>>>> >>>>> Attempts to set cookies with lifetimes past 400 days will be >>>>> highlighted in the Issues tab >>>>> <https://docs.google.com/document/d/1lDEvj8tMeuvUs1HTTqL-44YiI-7ljeQkusM_WhUfIeE/edit> >>>>> . >>>>> >>>>> Is this feature fully tested by web-platform-tests? >>>>> >>>>> There’s some >>>>> <http://third_party/blink/web_tests/external/wpt/cookie-store/cookieListItem_attributes.https.any.js>, >>>>> but more will be added once testdriver.js supports it >>>>> <https://github.com/web-platform-tests/rfcs/pull/108>. >>>>> >>>>> Tracking bug >>>>> >>>>> https://crbug.com/1264458 >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> >>>>> https://chromestatus.com/feature/4887741241229312 >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+unsubscr...@chromium.org. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGpy5DJdgcDqgJQOq%3DHdvLzMV%2BRupiW7Wqv2swPco%2BQzWtziSQ%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGpy5DJdgcDqgJQOq%3DHdvLzMV%2BRupiW7Wqv2swPco%2BQzWtziSQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUQ-GmZ8_5EfPvtoFGkUVLVwL6AgHptC6pyRNOmMKnq%3DA%40mail.gmail.com.
