maxAge should not be translated to expires #94
Conversation
|
Hi @baloo thanks for your pull request! So long story here is that this was an adopted module, so I cannot speak for the history (and of course changing it would be a breaking change and would need to be evaluated first). From my understanding it uses Here's also a blog about the two if it helps: http://mrcoles.com/blog/cookies-max-age-vs-expires/ Is there a way to make this pull request backwards-compatible in any way? Otherwise we'll need to hold this PR for the next major. Some backwards-compatible possibilities I'm thinking of:
|
|
Another thing I noticed in the change is that prior to this PR, if both |
|
To my knowledge rfc6265 is the document that defines the cookies semantics. To reply to your questions:
Maybe just ignore
Another option would be to have a "maxAgeRfc" option and let maxAge to its current implementation. Let me know what you think. |
|
Unfortinately that RFC was not even drafted until April 2011 and web browsers existed before than. If Cookies were as simple as reading an RFC this would be really easy, but they all seem to have their own quirks. We need to test this in real web browser to validate. I was wondering for at least your specific scenario you described if you could test the result of a Set-Cookie with both headers and see if it honored the max-age over the expires so we'd know if sending both would actually work for you before committing to the change. Anyway, I leave the changes up to you 👍 This PR is fine as-is, but is not backwards-compatible and thus I cannot give you a timeline in which I will accept it. If you're willing to wait, no need to make any changes. If you want it to land now, then it just needs to be backwards-compatible in a way you see fit. My thoughts on it I already gave. Let me know which way you want to go :) |
|
Well, AFAIK the first rfc describing cookie (and max-age) was rfc2109 (February 1997). Expires was not even an option back then. RFC6265 is just the current document that is authoritative on it. I'd prefer to have a fix now in cookies (as that would ease things up for me) so any change that could make it happen is welcome. |
|
Great, looking forward to the changes 👍 After you push this, please ping me here because GitHub doesn't always alert me to when new changes are pushed up. |
The expires argument includes the timezone, but the UA clock might
be offset by a couple of hours (incorrect timezone), which would
end-up in the following situation:
- UTC is 2018-01-15 10:00 + 00:00
Client has localtime: 2018-01-15 10:00 - 08:00 (8h in the future)
- Server set cookie with maxAge = 30min
- Server send:
Set-Cookie: foo=bar; expires=2018-01-15T10:30:00+00:00
- UA immediately expires the cookie
- UA send a new request without cookie.
Sadly incorrect UA clock is a common problem (at least for us),
maxAge is a correct option (as the time is calculated relative
to UA clock), but this is not an available option in this library.
Signed-off-by: Arthur Gautier <baloo@gandi.net>
|
@dougwilson I've gone down the |
|
What was the reason to not just send both? Does that not work? Because if it does, that would allow us to give the fix to all users of the module without breaking or them changing their code, seems like a win-win. I would like to hear why we cannot go down that road. Also, need to add docs 👍 |
|
Also, don't forget to add tests in |
|
Sending both header could work, but that gives little control to the user which I think is wrong. |
|
|
||
| it('should not set max-age attribute', function () { | ||
| var cookie = new cookies.Cookie('foo', 'bar', { maxage: 86400 }) | ||
| assert.equal(/; max-age=/.test(cookie.toHeader()), false) |
There was a problem hiding this comment.
The tests in this file should be testing the underlying properties of the cookie object for the most part, where the other tests (really just test.js now) testing the serialized header. You can test the header here too if you like, but at least you'll want to test the populated properties 👍
I mean, it's starting to sound like we're disagreeing here. I'd rather go that route of the breaking change route. The current proposed I mean, if you want just full control of every attribute without the module trying to help provide a balance of working everywhere, why not just use the module https://github.com/jshttp/cookie over this one? |
|
If you're really looking to go down the |
|
I don't want my server to emit expires at all, but you are probably correct I should use a lower-level module. Because IE does not support max-age, if expires is still too short and the UA clock is incorrect, the cookie will be removed, giving me no-chance of having it back. |
Right, ultimately it seems both choices are bad, in different ways. And it's very hard to detect when either one of these conditions occur. It would seem like the right thing to do is to force neither option on the module consumer and instead maybe we make it such that the consumer of this module must choose which type of loss is the acceptable for their application. |
|
Definitely and what I'm trying to achieve is very particular, so using a cookie module is probably a better solution for me. |
The expires argument includes the timezone, but the UA clock might
be offset by a couple of hours (incorrect timezone), which would
end-up in the following situation:
Client has localtime: 2018-01-15 10:00 - 08:00 (8h in the future)
Set-Cookie: foo=bar; expires=2018-01-15T10:30:00+00:00
Sadly incorrect UA clock is a common problem (at least for us),
maxAge is a correct option (as the time is calculated relative
to UA clock), but this is not an available option in this library.
Fix #58