Max-Age=0

[mnot]

https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-4.1.1 --

Servers conforming to this profile MUST NOT send Set-Cookie header fields that deviate from the following grammar:
[...]
max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT

This has the effect of disallowing Max-Age=0, even though later:

If delta-seconds is less than or equal to zero (0), let expiry-time be the earliest representable date and time. Otherwise, let the expiry-time be the current date and time plus delta-seconds seconds.

[mikewest]

At first, I thought this was simply a distinction between the server-side requirements and the (more forgiving) client-side requirements. Here, though, I think we really do want to accept max-age=0 as a way of deleting cookies (see e.g. this MDN article's recommendation).

I think we can drop the non-zero-digit definition and use 1*DIGIT instead in this grammar rule. That seems to better match what clients are doing today.

[sbingler]

I like this. I'm generally wary of loosening the server syntax but in this case I think this behavior is very useful and something the spec should explicitly allow.

[mikewest]

The change in #3376 seems like enough to me. @mnot, do you think more explanation is necessary for the remaining discrepancy between the server-side grammar and the client-side handling for negative numbers?

[mnot]

Not really.

[johannhof]

It probably makes sense to port this to layered-cookies as well

cc @annevk