Thursday, April 5, 2012

Cookies Max-Age vs Expires & newer Jboss


Have you noticed some of the cookie headers sent on jboss 6 or 7. If you do, you will see that expires attribute is missing and a new attribute Max-Age is added. 
I will explain what these mean and why should you care- 
  • Expires sets an expiry date for when a cookie gets deleted. This is a time from GMT.
  • Max-age sets the time in seconds for when a cookie will be deleted
Expires was being used to specify cookie age. However as in Http 1.1 expires was deprecated, Max-Age is the replacement for this. Now instead of specifying a date, you can just specify the number of seconds a cookie should live. By setting any of these two you can persist cookies. If nothing is set then the cookie lives till browser close. i.e. it behaves like session cookie. 

Example using expires: 

set-cookie = "foo=bar;path=/;expires=Fri, 06-Apr-2012 13:30:00 GMT";
same using Max-Age

set-cookie = "foo=bar;path=/;max-age=60";

Now tricky part is Max-Age is not supported in most versions of Internet Explorer (IE). IE6, IE7, IE8 don't support it, where as rest all browsers support both. These browsers that support Max-Age will ignore expires. 

Solution For JBoss :
To instruct JBoss for always setting expires attribute you should add the following jvm property 

-Dorg.apache.tomcat.util.http.ServerCookie.ALWAYS_ADD_EXPIRES=true
There are lot more configurations which can be done for cookie properties. For a complete list of those see Apache configuration documentation.

1 comment:

You can subscribe to the comments by licking on "Subscribe by email".