When setting max-age parameter to zero (0), the cookie is set as session cookie instead of removal. The package treats zero value of max-age as it's not set. But according to RFC-6265 zero value should remove cookie as well as negative value. Here's a quote of the section "5.2.2. The Max-Age Attribute":
If delta-seconds is less than or equal to zero (0), let expiry-time be the earliest representable date and time. Otherwise, let the expiry-time be the current date and time plus delta-seconds seconds.
The workaround of this bug is to use negative values. I can make pull-request if needed.
When setting
max-ageparameter to zero (0), the cookie is set as session cookie instead of removal. The package treats zero value ofmax-ageas it's not set. But according to RFC-6265 zero value should remove cookie as well as negative value. Here's a quote of the section "5.2.2. The Max-Age Attribute":The workaround of this bug is to use negative values. I can make pull-request if needed.