Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HTTP Cookie expire time (average, maximum, ...)

I write a bachelor thesis about web visitor tracking and therefore HTTP Cookies are an important part of it. Are there "natural" restrictions regarding maximum expire time, max age ,... ? I read that the expire-number is a unix-timestamp (32bit) and so it should work until 2038. On the other side it's supposed that modern browsers use a 64-bit number to store it.

I tried to set a extreme high value (Chromium/Linux).

Warning: Expiry date cannot have a year greater then 9999 in [...]

But other browsers tend to implement different ranges - are there any W3C recommendations?

What is the most common average expire-time? Do you know studies or papers? I wasn't able to find some, but this is such a popular topic...

like image 499
NaN Avatar asked Apr 09 '12 08:04

NaN


1 Answers

RFC 6265 defines Cookies, so if we look at section 5.2.1, we see:

If the expiry-time is later than the last date the user agent can represent, the user agent MAY replace the expiry-time with the last representable date.

Dates are not sent as unix timestamps but as the representation defined in section 5.1.1 which only specifies a lower bound: the year 1601.

So this leaves the upper bound for the expiry date to the browser. Most browsers will use their OS's underlying date utilities (or glibc respectively) so their constraints will apply (which should mostly be 64bit capable by now). To get a definite answer, you might have to check the various browser implementations.

like image 63
mensi Avatar answered Oct 13 '22 11:10

mensi