Cookie Expires and Max-Age attributes now have upper limit
As of Chrome release M104 (August 2022) cookies can no longer set an expiration date more than 400 days in the future.
As of Chrome release M104 (August 2022) cookies can no longer set an expiration date more than 400 days in the future.
This change does not impact session cookies—cookies that do not explicitly set an expiration date with Max-Age
or Expires
—as these are instead cleared when the browsing session ends.
With this change, Chrome caps the expiration date to the maximum allowed value: 400 days from the time the cookie was set. Cookies that request an expiration date further out than 400 days aren't rejected; their expiration date is set to 400 days instead.
Example
For example, consider a cookie set on Sunday, January 1, 2023:
Cookie | Requested expiration | Days in future | Over 400 days? | Effective expiration |
---|---|---|---|---|
Name=Value; Expires=Mon, 1 Jan 2024 00:00:00 GMT | Jan 1, 2024 | 365 | No | Jan 1, 2024 |
Name=Value; Max-Age=1704085200 | Jan 1, 2024 | 365 | No | Jan 1, 2024 |
Name=Value; Expires=Mon, 5 Feb 2024 00:00:00 GMT | Feb 5, 2024 | 400 | No | Feb 5, 2024 |
Name=Value; Max-Age=1707109200 | Feb 5, 2024 | 400 | No | Feb 5, 2024 |
Name=Value; Expires=Tues, 6 Feb 2024 00:00:00 GMT | Feb 6, 2024 | 401 | Yes | Feb 5, 2024 |
Name=Value; Max-Age=1707195600 | Feb 6, 2024 | 401 | Yes | Feb 5, 2024 |
Name=Value; Expires=Wed, 1 Jan 2025 00:00:00 GMT | Jan 1, 2025 | 731 | Yes | Feb 5, 2024 |
Name=Value; Max-Age=1735707600 | Jan 1, 2025 | 731 | Yes | Feb 5, 2024 |
Extending cookie expiration
Want to keep your cookie alive for longer than 400 days? Developers have the ability to extend the expiration any time the user visits the site again: by setting a new cookie with the same name. Note that cookies may be deleted before the expiration date for many reasons (for example, the user can manually clear their cookies or the per-domain cookie limit is exceeded).
Why was this limit added?
Before this limit was added, cookies could expire millennia in the future. With this change, we hope to strike a better balance between user expectations and convenience. 400 days was chosen as it's a bit over 13 months. This enables sites visited around once a year to retain their cookies.
Learn more
This change is part of the draft cookies standard and further details can be found on Chrome Platform Status. Both Mozilla and WebKit had positive feedback for the 400 day limit, though neither has implemented as of writing.