JDK-8359343 : HttpCookie Parser Incorrectly Handles Cookies with Expires Attribute
  • Type: CSR
  • Component: core-libs
  • Sub-Component: java.net
  • Priority: P4
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 26
  • Submitted: 2025-06-12
  • Updated: 2025-06-24
  • Resolved: 2025-06-24
Related Reports
CSR :  
JDK-8351983 - HttpCookie Parser Incorrectly Handles Cookies with Expires Attribute
Description
Summary
-------

The HttpCookie.parse() method is changed to correctly parse when both a Max-Age and Expires attribute are present

Problem
-------
The HttpCookie.parse() method incorrectly forces any cookie containing an "expires" attribute to be parsed using Netscape cookie rules (version 0), even when the cookie explicitly contains "max-age" attribute as specified in RFC 2109/2965. 
Solution
--------

Make the parse method behave as specified in RFC 6265 and clarify the apidoc for getMaxAge() and hasExpired() to explain this. Add a reference to RFC 6265 in the class level docs.

Specification
-------------
Change the HttpCookie class level docs as below:
```
  * <i>http://www.ietf.org/rfc/rfc2109.txt</i></a><br>
  *   RFC 2965 - <a href="http://www.ietf.org/rfc/rfc2965.txt">
  * <i>http://www.ietf.org/rfc/rfc2965.txt</i></a>
  * </blockquote>
  *
- * <p> HttpCookie class can accept all these 3 forms of syntax.
+ * <p> HttpCookie class can accept all these 3 forms of syntax. This class also provides
+ * partial support for RFC 6265.
  *
  * @spec https://www.rfc-editor.org/info/rfc2109 RFC 2109: HTTP State Management Mechanism
  * @spec https://www.rfc-editor.org/info/rfc2965 RFC 2965: HTTP State Management Mechanism
+ * @spec https://www.rfc-editor.org/info/rfc6265 RFC 6265: HTTP State Management Mechanism
  * @author Edward Wang
  * @since 1.6
  */
 public final class HttpCookie implements Cloneable {

```

Change the hasExpired() method as below
```
     /**
-     * Reports whether this HTTP cookie has expired or not.
+     * Reports whether this HTTP cookie has expired or not. This is
+     * based on whether {@link #getMaxAge()} seconds have elapsed since
+     * this object was created.
      *
      * @return  {@code true} to indicate this HTTP cookie has expired;
      *          otherwise, {@code false}
      */
     public boolean hasExpired() {}

```
Change the getMaxAge() method as below:
```
     /**
-     * Returns the maximum age of the cookie, specified in seconds. By default,
-     * {@code -1} indicating the cookie will persist until browser shutdown.
+     * Returns the maximum age of the cookie, specified in seconds from the time
+     * the object was created. By default, {@code -1} indicating the cookie will
+     * persist until browser shutdown.
+     *
+     * The value of this attribute is determined by the following steps, in line
+     * with RFC 6265:
+     *
+     * <ol><li>If {@link #setMaxAge(long)} was called, return the value set.</li>
+     * <li>If previous step failed, and a {@code Max-Age} attribute was parsed
+     * then return that value.</li>
+     * <li>If previous step failed, and an {@code Expires} attribute was parsed
+     * then the maxAge calculated at parsing time from that date, is returned</li>
+     * <li>If previous step failed, then return {@code -1}.</li></ol>
      *
      * @return  an integer specifying the maximum age of the cookie in seconds
      *
      * @see  #setMaxAge
      */
    public long getMaxAge() {}
```
Comments
Moving updated request to Approved.
24-06-2025
By the way, I also corrected a mistake in the original finialized spec change. The main doc change should have referred to get getMaxAge() method rather than parse()
19-06-2025
I think it is reasonable to say we provide partial support for RFC 6265 (we already have @spec tags for the other RFCs). A release note might be useful as well.
19-06-2025
Moving to Provisional, not Approved. Nothing worth a release note here? Would there be utility in adding `@spec` tags citing the RFC's?
18-06-2025