Expect-cf problemm with max age limit

user19511 · August 11, 2022, 1:35pm

Hello Cloudflare,
I am trying to send support ticket but its not possible.
We have problem with expect-cf cookie which is limiting our cookie time to 1 year.
We need to make sure Cloudflare removes this limitation for our cookies on our domains.
Kind Regards!

KianNH · August 11, 2022, 10:27pm

What cookie exactly are you having issues with?

I’m not aware of any expect-cf cookie added by Cloudflare.

user19511 · August 19, 2022, 11:58am

Hello KianNH,
Cloudflare is limiting my cookies expiration date to max limit 1 year.

I need to make sure that we can add cookie time with unlimited limit.
Kind Regards

cscharff · August 19, 2022, 4:39pm

That’s a header not a cookie. So all good.

user19511 · September 2, 2022, 5:58pm

Hello there,
I will create a test file so you can understand more.
dragonorders(dot)com(slash)test.php
The code inside looks like this:

<?php echo "current time-".time(); setcookie('TEST', '1', time() + (86400 * 30 * 12 * 3), '/', $_SERVER['HTTP_HOST']); ?>

This should make cookie to expire after 3 years, but it doesnt make cookie expire after 3 years, but after 1 year as Cloudflare is limiting the cookie expire date by max 1 year-you can test yourself.
Kind Regards!

cscharff · September 2, 2022, 6:15pm

Probably not Cloudflare… I don’t see anything about an expect-cf header having anything to do with site cookies in the documentation for that header.

More likely being enforced by the browser…

https://chromestatus.com/feature/4887741241229312

curl -Ik https://dragonorders.com/test.php
HTTP/2 200
date: Fri, 02 Sep 2022 18:13:55 GMT
content-type: text/html; charset=UTF-8
set-cookie: TEST=1; expires=Sun, 17-Aug-2025 18:13:55 GMT; Max-Age=93312000; path=/; domain=dragonorders.com

A 3 year cookie is returned via curl.

KianNH · September 2, 2022, 6:17pm

The user agent MUST limit the maximum value of the Max-Age attribute. The limit SHOULD NOT be greater than 400 days (34560000 seconds) in duration. The RECOMMENDED limit is 400 days in duration, but the user agent MAY adjust the limit (see Section 7.2). Max-Age attributes that are greater than the limit MUST be reduced to the limit.¶

As Chris mentioned, this is a limitation added by browsers as per specification.

user19511 · September 3, 2022, 9:42am

Hello guys,
Thanks a lot for your answers, do you know from which Chrome version does did cookie update apply? So we cannot include anymore cookie expiration date higher then 400 days, is there any other way?
Thank you!

system · September 6, 2022, 9:42am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.