Cookie Expires and Max-Age attributes now have upper limit

Cookie Expires and Max-Age attributes now have upper limit

As of Chrome release M104 (August 2022) cookies can no longer set an expiration date more than 400 days in the future.

This change does not impact session cookies—cookies that do not explicitly set an expiration date with Max-Age or Expires—as these are instead cleared when the browsing session ends.

With this change, Chrome caps the expiration date to the maximum allowed value: 400 days from the time the cookie was set. Cookies that request an expiration date further out than 400 days aren’t rejected; their expiration date is set to 400 days instead.

Example

For example, consider a cookie set on Sunday, January 1, 2023:

Cookie Requested expiration Days in future Over 400 days? Effective expiration
Name=Value; Expires=Mon, 1 Jan 2024 00:00:00 GMT Jan 1, 2024 365 No Jan 1, 2024
Name=Value; Max-Age=1704085200 Jan 1, 2024 365 No Jan 1, 2024
Name=Value; Expires=Mon, 5 Feb 2024 00:00:00 GMT Feb 5, 2024 400 No Feb 5, 2024
Name=Value; Max-Age=1707109200 Feb 5, 2024 400 No Feb 5, 2024
Name=Value; Expires=Tues, 6 Feb 2024 00:00:00 GMT Feb 6, 2024 401 Yes Feb 5, 2024
Name=Value; Max-Age=1707195600 Feb 6, 2024 401 Yes Feb 5, 2024
Name=Value; Expires=Wed, 1 Jan 2025 00:00:00 GMT Jan 1, 2025 731 Yes Feb 5, 2024
Name=Value; Max-Age=1735707600 Jan 1, 2025 731 Yes Feb 5, 2024

Want to keep your cookie alive for longer than 400 days? Developers have the ability to extend the expiration any time the user visits the site again: by setting a new cookie with the same name. Note that cookies may be deleted before the expiration date for many reasons (for example, the user can manually clear their cookies or the per-domain cookie limit is exceeded).

Why was this limit added?

Before this limit was added, cookies could expire millennia in the future. With this change, we hope to strike a better balance between user expectations and convenience. 400 days was chosen as it’s a bit over 13 months. This enables sites visited around once a year to retain their cookies.

Learn more

This change is part of the draft cookies standard and further details can be found on Chrome Platform Status. Both Mozilla and WebKit had positive feedback for the 400 day limit, though neither has implemented as of writing.

This post is also available in: Cookie Expires and Max-Age attributes now have upper limitEnglish