Expiressets an expiry date for when a cookie gets deleted. This is a time from GMT.
Max-agesets the time in seconds for when a cookie will be deleted
Expires was being used to specify cookie age. However as in Http 1.1 expires was deprecated, Max-Age is the replacement for this. Now instead of specifying a date, you can just specify the number of seconds a cookie should live. By setting any of these two you can persist cookies. If nothing is set then the cookie lives till browser close. i.e. it behaves like session cookie.
Example using expires:
same using Max-Age
Now tricky part is Max-Age is not supported in most versions of Internet Explorer (IE). IE6, IE7, IE8 don't support it, where as rest all browsers support both. These browsers that support Max-Age will ignore expires.
Solution For JBoss :
To instruct JBoss for always setting expires attribute you should add the following jvm property