-1

Cookies have two attributes (Max-Age and Expires) that seem to serve identical purposes, namely specifying when a given cookie will expire.

According to MDN, Expires:

Indicates the maximum lifetime of the cookie as an HTTP-date timestamp. See Date for the required formatting.

And Max-Age:

Indicates the number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. If both Expires and Max-Age are set, Max-Age has precedence.

To me this sounds like they're completely synonymous, the only difference being the format in which the expiration date is expressed; with Expires specifying an actual date-time, and Max-Age specifying a time span.

It seems like Expires actually predates Max-Age, and Max-Age was introduced much later, but why? That's my question. What shortcoming does Expires have that Max-Age looks to rectify? And when should one be preferred over the other? If the only thing that's different about Max-Age is how it expresses the expiration date, then its introduction seems pretty pointless, doesn't it?

To my surprise, I couldn't actually find any relevant information on this, it seems as though I'm the only one for whom this is a question mark, which I find strange, so tell me if I'm missing something.

Note that my question isn't strictly about the technical difference between the two attributes (there are already questions like this one that cover this), I'm specifically curious about the reason and the motive behind the introduction of Max-Age, when Expires already existed and did fundamentally the same thing.

Arad Alvand
  • 8,607
  • 10
  • 51
  • 71
  • How is this "opinion-based"? I'm asking a perfectly objective question. It seems like whoever decides these things just refuses to read the questions properly and actually understand them, for some unfathomable reason. – Arad Alvand Dec 12 '22 at 02:45
  • 1
    See https://meta.stackoverflow.com/questions/323334/is-asking-why-on-language-specifications-still-considered-as-primarily-opinio. The problem with a _“Why?”_ questions like this one is that the answers they typically get are primarily opinion-based —just like the the answer this question has already received. The only people who could actually answer this question are the people who wrote the specification that introduced the Max-Age parameter. Others here can generally only speculate about what rationale the people who wrote the specification might have had. – sideshowbarker Dec 12 '22 at 02:56
  • @sideshowbarker The answer that my question has received doesn't actually answer my question, which is why I haven't marked it as the accepted answer. The fact that the answer is inadequate and is opinion-based doesn't make the question opinion-based. My question was fairly specific: Why was the `Max-Age` cookie attribute introduced? This question has an *objective* answer, and as such cannot be "opinion-based". – Arad Alvand Dec 12 '22 at 03:01
  • 1
    @sideshowbarker Furthermore, the claim that "The only people who could actually answer this question are the people who wrote the specification that introduced the Max-Age parameter." makes no sense whatsoever. Things like this are decided upon based on technical/objective reasons, that's like saying "The only people who could actually answer the question of 'Why was `let` introduced in JavaScript when we already had `var`' are the people who wrote the specification." That is an absurd claim, quite clearly. – Arad Alvand Dec 12 '22 at 03:05
  • 1
    If you hope to get better answers to this question than the unsatisfactory answer this one has already received, consider re-titling it and re-wording it. Because as it’s currently worded, it’s not likely to receive any answers you’re likely to find satisfactory. See the discussion and advice in the answer at https://meta.stackoverflow.com/questions/323334/is-asking-why-on-language-specifications-still-considered-as-primarily-opinio/323382#323382. Maybe a title such as, _“What’s a specific scenario in which Max-Age solves a problem that can’t be solved by Expires?”_ – sideshowbarker Dec 12 '22 at 03:14

1 Answers1

0

I think it's better to use Max-Age. Think about what happens when the frontend and backend somehow (accidentally) use different timezones. It's less error-prone imo, but for the sake of backwards compatibility you should set the Expires attribute too. Also if some of your logic in your code relies on the expiration of the cookie, you should clearly use Expires.

eramin
  • 29
  • 4