Max-Age cookie attribute seems to be handled incorrectly
Categories
(DevTools :: Netmonitor, defect)
Tracking
(Not tracked)
People
(Reporter: richard.lakatos91, Unassigned)
Details
(Whiteboard: [necko-triaged])
Attachments
(2 files)
Received cookie in the dev tools
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Steps to reproduce:
To help reproduce this issue, I created a simple flask app to manually set the "Expires" and "Max-Age" attributes for a cookie in the "Set-Cookie" header. (I'll upload the source.)
If both are set, "Max-Age" should take precedence according to this: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#removal_defining_the_lifetime_of_a_cookie
I called the endpoint to see the result.
Actual results:
When both attributes are set, "Expires" appears to take precedence. This can consistenly be reproduced, I tried with the Windows and Ubuntu variant of version 128.0. I'll attach a screenshot showing the result.
This happens in a new profile as well.
The resulting cookie on the Network Tab of the developer tools looks like this, when calling the /both endpoint of the attached application:
{
"Response Cookies": {
"testcookie": {
"expires": "2032-01-01T00:00:01.000Z",
"httpOnly": true,
"path": "/",
"secure": true,
"value": "testcookievalue"
}
}
}
Expected results:
If both are set, "Max-Age" should take precedence according to this: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#removal_defining_the_lifetime_of_a_cookie
When using this test app, the cookie should have an expiration roughly 20 in the future.
|
Reporter | |
Comment 1•1 year ago
|
||
|
|
Reporter | |
Comment 2•1 year ago
|
||
I should add, calling the same service with curl looks like this:
curl -kv http://192.168.42.123:5000/both
- Trying 192.168.42.123:5000...
- Connected to 192.168.42.123 (192.168.42.123) port 5000 (#0)
GET /both HTTP/1.1
Host: 192.168.42.123:5000
User-Agent: curl/7.81.0
Accept: /
- Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: Werkzeug/3.0.3 Python/3.12.3
< Date: Wed, 10 Jul 2024 15:11:58 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 159
< Set-Cookie: testcookie=testcookievalue; Expires=Thu, 1 Jan 2032 00:00:01 GMT; Max-Age=1234; Secure; HttpOnly; Path=/
< Connection: close
<
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Cookie setter page</title>
</head>
<body>
This page sets the cookie.
</body>
</html>
|
||
Comment 3•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Networking: Cookies' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 4•1 year ago
|
||
Hey Richard,
Thank for raising this bug and providing the flask test code.
I tried your code and notice the behavior mentioned in the bug.
I would like to highlight that functionally we dont have a problem:
We take max-age expiry time before sending a request to the server.
If I reduce the max-age to 4 seconds with expires date unchanged, we do not send cookie after 4 seconds delay
However, in devtools cookie tab we just display expires field.
In that case I would consider this as a display issue in devtools.
could you please confirm.
|
|
Reporter | |
Comment 5•1 year ago
|
||
Hi Sunil,
thanks for getting back on this!
Yes, you're absolutely right. I tried what you suggested and can see that the cookie indeed expires correctly, and is not sent with subsequent requests.
Then this seems to be an issue in the devtools.
|
|
Reporter | |
Updated•1 year ago
|
|
|
||
Comment 6•1 year ago
|
||
The product::component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit BugBot documentation.
|
|
Reporter | |
Updated•1 year ago
|
Description
•