curl doesn't expire cookies with negative Max-Age #9930
Description
I noticed that when curl receives a Set-Cookie header with Max-Age=-1 (or any negative number) it will not immediately expire the cookie. Rather, the cookie will stay in the cookie jar when curl exits.
I believe that this is related to c3fdeca which works only for Max-Age=0, see Issue #3351.
However, @badger quotes RFC6265 in this comment as stating that:
If delta-seconds is less than or equal to zero (0) ....
In my opinion, patch c3fdeca may work only if delta-seconds is equal to zero and not if it is less than. I have verified this with a server: when I send Max-Age: 0, the cookie is immediately removed from the cookie jar, whereas if I set Max-Age: -1 it is not removed until the next time I run curl -c ...
My output with Max-Age: -1
* Added cookie auth_token="" for domain localhost, path /, expire 0
< Set-Cookie: auth_token=; Path=/; Max-Age=-1; HttpOnly
...
next invocation:
> Cookie: auth_token=
and the cookie jar contains:
#HttpOnly_localhost FALSE / FALSE 0 auth_token
By contrast, Max-Age=0 yields:
* Added cookie auth_token="" for domain localhost, path /, expire 1
< Set-Cookie: auth_token=; Path=/; Max-Age=0; HttpOnly
and the cookie is gone from the cookie jar.