Cookie handling in 97

When processing the following cookie headers:

set-cookie: h_ID=s01;max-age=1800;Domain=example.com;Path=/;HttpOnly
set-cookie: ID=s01;max-age=1800;Domain=example.com;Path=/;HttpOnly;Secure;SameSite=None

Firefox 97.0a1 (2021-12-21) ignores max-age and treats these as Session cookies. I also tested with an explicit expires entry, and it still treated them as Session cookies.

Is this expected behavior? I tested against 96.0b7, 95.0.2, and 91.4.1esr, and all of them added proper expiration times to these cookies, but 97.0a1 shows “Session” instead.

I don’t know if this is a change or not, but the MDN docs say, that cookies without Expires are treated as session cookies. If they have an Expires attribute, they are permanent cookies.

So you should provide both Expires and Max-Age (if both are provided, Max-Age should take precedence).

References:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

Good thought, but even with expires, it still is treating this:

set-cookie: ID=s01; max-age=1800; expires=Wed, 22 Dec 2021 17:49:42.37 GMT; Domain=example.com; Path=/; Secure; HttpOnly; SameSite=None
set-cookie: h_ID=s01; max-age=1800; expires=Wed, 22 Dec 2021 17:49:42.37 GMT; Domain=example.com; Path=/; HttpOnly

as a session cookie on 97.0a1 (2021-12-22)

I also tested with “Max-Age” and “Expires” vs “max-age” and “expires” to be certain that it was not a new case-sensitivity that was introduced, but neither form is being recognized.

Both forms work in 96.0b8 still: with and without expires, and all lower vs. mixed case.