RFC Errata
RFC 6265, "HTTP State Management Mechanism", April 2011
Source of RFC: httpstate (app)
Errata ID: 6719
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Philip Gladstone
Date Reported: 2021-10-22
Section 4.1.1 says:
max-age-av = "Max-Age=" non-zero-digit *DIGIT
It should say:
max-age-av = "Max-Age=" non-negative-integer non-negative-integer = zero-digit / (non-zero-digit *DIGIT) zero-digit = %x30
Notes:
In section 5.2.2, there is the following text on the value of the max-age:
> Let delta-seconds be the attribute-value converted to an integer.
>
> If delta-seconds is less than or equal to zero (0), let expiry-time
> be the earliest representable date and time.
If max-age is an integer greater than 0, then the entire sentence is meaningless. It is a common practice to use max-age=0 to expire a cookie immediately. I think that the ABNF is incorrect. However, I don't see any reason to permit negative values.