RFC Errata

Errata Search

Source of RFC  
Summary Table Full Records

RFC 6265, "HTTP State Management Mechanism", April 2011

Source of RFC: httpstate (app)

Errata ID: 6719
Status: Reported
Type: Technical
Publication Format(s) : TEXT

Reported By: Philip Gladstone
Date Reported: 2021-10-22

Section 4.1.1 says:

max-age-av        = "Max-Age=" non-zero-digit *DIGIT

It should say:

max-age-av           = "Max-Age=" non-negative-integer
non-negative-integer = zero-digit / (non-zero-digit *DIGIT)
zero-digit           = %x30


In section 5.2.2, there is the following text on the value of the max-age:

> Let delta-seconds be the attribute-value converted to an integer.
> If delta-seconds is less than or equal to zero (0), let expiry-time
> be the earliest representable date and time.

If max-age is an integer greater than 0, then the entire sentence is meaningless. It is a common practice to use max-age=0 to expire a cookie immediately. I think that the ABNF is incorrect. However, I don't see any reason to permit negative values.

Report New Errata