Errata-ID: 6719

Status:

Rejected

Type:

Technical

Reported By:

Philip Gladstone

Date Reported:

2021-10-22

Rejected by:

Francesca Palombini

Date Rejected:

2025-02-12

Section 4.1.1 says:

max-age-av = "Max-Age=" non-zero-digit *DIGIT

It should say:

max-age-av = "Max-Age=" non-negative-integer
non-negative-integer = zero-digit / (non-zero-digit *DIGIT)
zero-digit = %x30

Notes:

In section 5.2.2, there is the following text on the value of the max-age:

> Let delta-seconds be the attribute-value converted to an integer.
>
> If delta-seconds is less than or equal to zero (0), let expiry-time
> be the earliest representable date and time.

If max-age is an integer greater than 0, then the entire sentence is meaningless. It is a common practice to use max-age=0 to expire a cookie immediately. I think that the ABNF is incorrect. However, I don't see any reason to permit negative values.
 --VERIFIER NOTES-- 
User agents and Servers have different requirements and a UA is expected to be able to handle a wider range of inputs than the well-behaved profile for Servers that is defined in Section 4. This erratum is analogous to https://www.rfc-editor.org/errata/eid3430 which was likewise rejected.