Don't trust Cookie setMaxAge

I've just run into the issue with misleading, or at least incomplete documentation related to HTTP Cookie representation in J2EE. Cookie class JavaDoc states that Cookie.setMaxAge(int) method "Sets the maximum age of the cookie in seconds."
That's not true, unfortunately. Cookies, as we know, don't hold info about their max age. They hold the date/time value of their expected expiration.

So, instead of setting the max age for a cookie, this setMaxAge method adds the int parameter seconds to the current SERVER date/time and puts this new date/time value to a cookie as its expiration time. Later, when this cookie is sent to the browser, this expiration date is compared to the CLIENT date/time, and cookie gets expired if its expiration date is in past.

All this means that setMaxAge method description is valid in just one case: all clients are run on the same machine with the server, or at least have their system time synchronized with the server. Rather idealistic, isn't it. There are lots of computers with system time that is in the past.

If you'd really like to rely on a cookie expiring after a defied period then a different approach should be taken, the brand new System and Method for Defining a Cookie Max Age :-)

So, if you'd like your cookie to expire in definite time you will need another cookies to hold the cookie 'meta-information'. To make sure that cookie 'cookie1' having value 'someValue' will expire in, say, 20 seconds, in your servlet or servlet filter you could do:

Then, add the next JavaScript on the page that the servlet produces:

This will result in a cookie1 to expire in 20 seconds.

Awkward, but it works.

Unfortunately this approach will not work for Cookies that are set during AJAX calls, as there will be no possibility to run a custom JavaScript in this case.