Java Cookie setMaxAge(int): How is the exact expiration date tracked

Question

Suppose in my Java app I do

    Cookie myCookie = new Cookie("myCookie", "someValue");
    myCookie.setMaxAge(3); // 3-seconds 

When a cookie is sent in the response it must have an Expiration Date. My understanding is it will expire on CreationDate + 3 sec (maxAge). maxAge is the delta.

If I create a cookie at 1/1/2020 16:08:00, is its Expiration Date 1/1/2020 16:08:03 ?

Then who sets the original Creation Timestamp of the cookie, is it the constructor? How is the overall date tracked?

Answer 1

In addition to what @JB Nizet said, clients can also update any cookie-related information it receives from the server's Set-Cookie response header.

Test it yourself in Chrome's Dev Tools, "Application" tab, there's a "Cookies" node in the left panel. For every domain, it allows you to see and/or modify any cookies you have stored in your browser. If you choose to update the "Expires/Max-Age" to a date in the past, the browser will automatically remove that cookie. You can also update it to sometime further out in the future.

Therefore, it's ultimately up to the server to know if a cookie is actually "valid." You should never rely on the max-age/expires data coming from the client to determine true validity. Clients use this to simply know when to delete it from it's local storage.

Answer 2

The cookie creation time is not stored in the cookie. The client keeps the cookie for the given time, starting when it receives the cookie.