Cookie Maximum Lifespan

Hi,

I want to confirm what is the max limit of cookie we can set, chrome is setting it to 400 days, what about firefox or any other modern browsers?

Please advise.

Hi @Rajesh_Kumar_Yadav and welcome to the community :wave:

I don’t have a definitive answer, but looking at this forum (with disabled “uBlock Origin”) I see the “_ga” cookie from Google Analytics. On Firefox it expires in two years and on Chrome - as you said - in 400 days. The privacy policy of Google says that this cookie is set for two years. So I don’t know if this is also the Firefox max-age or if it would allow even higher max-ages.

Probably the most pragmatic way to test would be setting a cookie with a very high expires or max-age value and see what browsers set when they receive it.

Cheers,
Michael

Thanks, on my project, one of the cookies is set for 10 years and I can see Fri, 24 Sep 2032 12:44:50 GMT on chrome and firefox too in developer tool (I am a front-end developer) I didn’t check the Safari.

But I wonder, if chrome says 400 days then how it is setting till 10 years.

I will update this page, if I will find more clarity, thanks for your reply.

1 Like

I checked edge, which is chromium based so it is picking exact 400 days as 2023-11-01T12:50:20.951Z

May be I need to update my chrome browser from 98 to latest to see if that started setting 400.

1 Like

I have checked the updated chrome (Version 105.0.5195.127 (Official Build) (64-bit)
) and it is also setting for 400 days as 2023-11-01T12:54:57.352Z

1 Like

I dug a bit deeper and there is currently an HTTP specification draft about cookies which states:

The user agent MUST limit the maximum value of the Expires attribute. The limit SHOULD NOT be greater than 400 days (34560000 seconds) in the future. The RECOMMENDED limit is 400 days in the future, but the user agent MAY adjust the limit (see Section 7.2). Expires attributes that are greater than the limit MUST be reduced to the limit.

Chrome shipped this upcoming recommendation in version 104.
Firefox and Safari are generally positive about the recommendation, but haven’t worked on it, yet.

So I think it’s save to assume that in the future the browsers will all adhere (more or less) to the limit of 400 days.

1 Like

https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-expires-attribute and https://chromestatus.com/feature/4887741241229312

This link I already have seen and found the ref for google chrome, thank you for sharing other links too, will have quick look soon.

1 Like