-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC6265bis] Why Max-Age limitation is specified for User Agent ? #2789
Comments
for more background: honojs/hono#2762 This is an issue for server side framework "Hono". It restricts max-age shorter than 400day according to RFC recommendation. |
I'm not sure I agree that removing any mention of the user-agent in the Set-Cookie section is a better outcome. IMHO, it's useful to consider the client even in the context of server requirements.
That seems like a valid choice for the framework. I'm not sure I would make the same choice, but frameworks like to be opinionated, and I can see the logic behind the thinking. I don't see how this is a bug in the draft. |
I'm not against that. |
Hi, Both the I see the UA's 400 day recommendation as an application of this principle.
That's the correct interpretation.
The spec is communicating that cookies that specify a longer lifetime than "session" should have that lifetime limited. It does that by saying that max-age attributes should be limited. The same limit is applied to Ultimately the spec is giving instructions on how UAs should behave. This behavior will obviously affect Servers but it is not for Servers.
I agree with @miketaylr. Frameworks are free to apply whatever limit they like. |
In that case, what cause misreading is lack of specifying "received" for Max-Age. - The user agent MUST limit the maximum value of the Max-Age attribute.
+ The user agent MUST limit the maximum value of the received Max-Age attributes values.
- Max-Age attributes that are greater than the limit MUST be reduced to the limit.
+ Received Max-Age attributes value that are greater than the limit MUST be reduced to the limit by user agent. And mentioning that this recommendation is not for server is also make the spec clear for me. |
I think a better option would be to move the paragraphs to a more UA focused section. I'll work on a PR |
in Section 4.1.2.2
This section mentions Max-Age limitation.
But Max-Age is an attribute for
Set-Cookie
not forCookie
, andSet-Cookie
is sent by Server not Client.So I'm wondering why this section is written for "User-Agent" not "Implementation".
It can be considered as "Server could send any max-age, but Client will trim it to < 400day", but in that case, that recommendation is not for "Max-Age" attributes itself, but for lifetime management for implementation.
if this recommendation is for
Max-Age
attributes, it'll apply not (only?) for User Agent but for Server. So it should be use not "User Agent" but "Implementation".The text was updated successfully, but these errors were encountered: