RFC 6265, "HTTP State Management Mechanism", April 2011

Errata ID: 3430
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Zhong Yu
Date Reported: 2012-12-13
Rejected by: Barry Leiba
Date Rejected: 2012-12-17

Section 4.1.1 says:

 max-age-av        = "Max-Age=" non-zero-digit *DIGIT
                       ; In practice, both expires-av and max-age-av
                       ; are limited to dates representable by the
                       ; user agent.
 non-zero-digit    = %x31-39
                       ; digits 1 through 9

It should say:

 max-age-av        = "Max-Age=" 1*DIGIT
                       ; In practice, both expires-av and max-age-av
                       ; are limited to dates representable by the
                       ; user agent.

Notes:

The current text forbids a server to send Max-Age=0.
--VERIFIER NOTES--
That is correct. As noted in the introduction, what servers should do and what clients should do are not the same. The ABNF in Section 4 limits the server intentionally, to maximize compatibility with deployed clients. See this text in the Introduction:

To maximize interoperability with user agents, servers SHOULD limit
themselves to the well-behaved profile defined in Section 4 when
generating cookies.

User agents MUST implement the more liberal processing rules defined
in Section 5, in order to maximize interoperability with existing
servers that do not conform to the well-behaved profile defined in
Section 4.

Report New Errata