#729: Cookie Expires/Max-Age attribute upper limit
Discussions
2022-04-25
Yves: still a huge amount of long expiring cookies. Wondering about impact. Expiring current old cookies, .. avoid issue where people are losing whatever state they have in that case. Small comment. otherwise looks decent. Some cookies are used for authn, good to not have them there for too long.
Dan: sounds fine. I noted there was a new version of the cookie spec from ietf that just came out, right?
Yves: not aware of that..
Dan: Should we be prompting the http wg to ask us for review of the cookie spec?
Yves: the spec itself is in the http wg. I expect they reviewed it. New cookies can't be more than 400 days, in the rfc. Question here is just what happens to existing cookies
Hadley: webkit's position, linked from the issue, is they're generally in favour but also wanted to say there are use cases for cookies outside of browsers where no limits still makes sense - machine to machine communication over http. So if they end up with something more nuanced than a hard 400 day rule that might accommodate or affect the cookies you're looking at
Yves: also looked at webkit position.
Hadley: can leave comment.. but concerned about having that exception to then be exploitable..
Yves: machine to machine, there is probably a way to replace the cookie once it has expired. they just need to modify a bit for new cookies.. the issue is really about old cookies that are in use in systems that may not be updateable.
Hadley: if we do want to get into the discussion, I particularly like that that max age is the maximum and the UA can adjust the limit to be less. So presumably there would be a situation in which you could set your UA to blanket limit all cookies to 20 days or whatever works for you. Might there then be ways to handle exceptions, have behind permission prompts? But then could that be exploited to innundate users with requests to agree to a permanent cookie?
Yves: a regular UA doing set cookie with date in the future for every hit. At worst if you have one hit per year you're safe. Old things, eg. machine to machine where the cookie is set in stone somewhere. The server might forget it because it's expired, that can lead to some issues. Really edge cases.
Dan: close with comment?
Yves: Yeah I think so
Hadley: yes. Good to be supportive of overall aim. [will leave comment] [close satisfied]
Yves: Mozilla and webkit are roughly the same. Having a limit is good, and figure out some details for edge cases
Dan: multistakeholder ftw
OpenedApr 6, 2022
Braw mornin' TAG!
This is an FYI for adding a Cookie Expires/Max-Age attribute upper limit.
When cookies are set with an explicit Expires/Max-Age attribute the value will now be capped to no more than 400 days in the future. Previously, there was no limit and cookies could expire multiple millennia in the future.
The draft of rfc6265bis now contains an upper limit for Cookie Expires/Max-Age attributes. As written:
The user agent MUST limit the maximum value of the [Max-Age/Expiration] attribute. The limit MUST NOT be greater than 400 days (34560000 seconds) in duration. The RECOMMENDED limit is 400 days in duration, but the user agent MAY adjust the limit to be less. [Max-Age/Expiration] attributes that are greater than the limit MUST be reduced to the limit.400 days was chosen as a round number close to 13 months in duration. 13 months was chosen to ensure that sites one visits roughly once a year (e.g. picking health insurance benefits) will continue to work.
According to measurements in Chrome, of all cookies set, about 20% have an Expires/Max-Age further than 400 days in the future. Of that 20%: half target 2 years, a quarter target 10 years or more, and the remainder are spread over the rest of the range.
CanonicalCookieWithClampingTest).Further details:
We'd prefer the TAG provide feedback as (please delete all but the desired option):
🐛 open issues in our GitHub repo for each point of feedback
TAG Security & Privacy Questionnaire Answers for Cookie Expires/Max-Age attribute upper limit
Questions
1. What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?
N/A, this feature exposes no new information to websites or other parties.
2. Do features in your specification expose the minimum amount of information necessary to enable their intended uses?
Yes, no new information is exposed.
3. How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?
It does not deal directly in PII, but websites could be using cookies to store PII.
4. How do the features in your specification deal with sensitive information?
It does not handle sensitive information.
5. Do the features in your specification introduce new state for an origin that persists across browsing sessions?
No, this specification does not introduce new state (the expiration date was already tracked).
6. Do the features in your specification expose information about the underlying platform to origins?
No, the expiration date is not visible to websites.
7. Does this specification allow an origin to send data to the underlying platform?
Yes, but no more than the existing cookies spec does.
8. Do features in this specification enable access to device sensors?
No 9. What data do the features in this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts.
See the answer to question 6.
10. Do features in this specification enable new script execution/loading mechanisms?
No
11. Do features in this specification allow an origin to access other devices?
No
12. Do features in this specification allow an origin some measure of control over a user agent’s native UI?
No
13. What temporary identifiers do the features in this specification create or expose to the web?
Nothing beyond what's currently possible with Cookies.
14. How does this specification distinguish between behavior in first-party and third-party contexts?
It does not distinguish between them except for the ways that the Cookies spec already does.
15. How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?
It will work the same, the expiration date limit is enforced there too.
16. Does this specification have both "Security Considerations" and "Privacy Considerations" sections?
Yes. https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-privacy-considerations
17. Do features in your specification enable origins to downgrade default security protections?
No
18. How does your feature handle non-"fully active" documents?
N/A
19. What should this questionnaire have asked?
N/A