Is Age: a concern for cookies?

[bagder]

RFC 6265 says

let the expiry-time be the current date and time plus delta-seconds seconds

Another, more recent, HTTP header with a "max-age" field is Alt-Svc: in RFC 7838. It has a max-age that explicitly subtracts the number of seconds specified in the Age: header.

The question is then if Age: should be considered valid for Alt-Svc:, shouldn't it also be considered valid for Set-Cookie: ? (My assumption is that max-age values are generally large enough to make this mostly an academic discussion, but I don't know this for a fact.)

(I know curl's cookie parser doesn't care about Age: but I have no idea if others do.)

[mikewest]

In an ideal world, it would likely make sense to work Age support into the cookie spec somehow. In a less-than-ideal world, I'm not actively planning on adding support to Chromium's network stack. I don't believe Firefox or Safari support that interaction either.

[bagder]

I'm not really advocating that anyone changes any stacks, more to understand what is already used and thinking a little about what the concept "current date and time" actually means between the treatment of different headers.

If you say no implementation cares about Age: or that no max-age is ever that small anyway to make it matter, then I suppose we don't do anything at all.

[mnot]

If we don't add this, it might be good to note that a cacheble cookie's expiry happens relative to when the browser sees the cookie, so people aren't surprised.*

• Of course they'll still be surprised.