rfc:cookie_max-age

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
Next revisionBoth sides next revision
rfc:cookie_max-age [2012/12/28 02:16] – created narfrfc:cookie_max-age [2012/12/28 03:38] – [Request for Comments: Cookie Max-Age attribute] Bumped version number narf
Line 1: Line 1:
 ====== Request for Comments: Cookie Max-Age attribute ====== ====== Request for Comments: Cookie Max-Age attribute ======
-  * Version: 1.0+  * Version: 1.1
   * Date: 2012-12-28   * Date: 2012-12-28
   * Author: Andrey Andreev <narf@bofh.bg>   * Author: Andrey Andreev <narf@bofh.bg>
Line 11: Line 11:
 ===== Introduction ===== ===== Introduction =====
  
-As already described by the title, this RFC proposes that //Max-Age// must be sent alongside the //Expires// attribute in //Set-Cookie// headers.+As already described by the title, this RFC proposes that **setcookie()**, **setrawcookie()** and **ext/session** must send the //Max-Age// attribute alongside //Expires// when a //Set-Cookie// header is created.
  
 ==== Why is it needed? ==== ==== Why is it needed? ====
Line 38: Line 38:
  
 The above list makes it pretty clear that the behavior of any user agent that can't take advantage of //Max-Age// won't be affected. With that said, I believe that it is both safe and proper to send both //Expires// and //Max-Age// at the same time, as this will provide a proper fallback for any "legacy" browser that doesn't support //Max-Age//. The above list makes it pretty clear that the behavior of any user agent that can't take advantage of //Max-Age// won't be affected. With that said, I believe that it is both safe and proper to send both //Expires// and //Max-Age// at the same time, as this will provide a proper fallback for any "legacy" browser that doesn't support //Max-Age//.
 +
 +==== Logical behavior ====
 +
 +Since **setcookie()** and **setrawcookie()** accept a Unix timestamp - the TS delta will have to be calculated based on the provided timestamp, like this:
 +
 +''<max-age> = <provided unix timestamp> - <current time>''
 +
 +**ext/session** on the other hand will directly send the configured **session.cookie_lifetime** value, which is exactly the same - TS delta, in seconds.
 +
 +==== Possible BC effects ====
  
 No downside is expected, except the few more bytes being sent in HTTP headers. No downside is expected, except the few more bytes being sent in HTTP headers.
 +
 +===== Examples =====
 +
 +Assuming our current time is: Fri, 28-Dec-2012 03:00:00 GMT
 +
 +<code>
 +setcookie('name', 'value', 1356663605);
 +
 +// Old header:
 +// Set-Cookie: name=value; expires=Fri, 28-Dec-2012 03:00:05 GMT
 +
 +// New Header:
 +// Set-Cookie: name=value; Expires=Fri, 28-Dec-2012 03:00:05 GMT; Max-Age=5
 +</code>
 +
 +<code>
 +setrawcookie('name', 'value', 1356663595);
 +
 +// Old header:
 +// Set-Cookie: name=value; expires=Fri, 28-Dec-2012 02:59:55 GMT
 +
 +// New Header:
 +// Set-Cookie: name=value; Expires=Fri, 28-Dec-2012 02:59:55 GMT; Max-Age=-5
 +</code>
 +
 +<code>
 +session_name('PHPSESSID');
 +session_set_cookie_params(3600, '/', 'domain.tld');
 +session_start();
 +
 +// Old header:
 +// Set-Cookie: PHPSESSID=<random session id>; expires=Expires=Fri, 28-Dec-2012 04:00:00 GMT; path=/; domain=domain.tld
 +
 +// New header:
 +// Set-Cookie: PHPSESSID=<random session id>; Expires=Expires=Fri, 28-Dec-2012 04:00:00 GMT; Max-Age=3600; Path=/; Domain=domain.tld
 +</code>
  
 ===== Related links ===== ===== Related links =====
Line 52: Line 98:
 ===== Changelog ===== ===== Changelog =====
  
 +  * 2012-12-28: Updated with suggestions from the thread on PHP-Internals.
   * 2012-12-28: Initial version.   * 2012-12-28: Initial version.
rfc/cookie_max-age.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1

Page Tools