24 October 2009

HTTP Cookies: What's the difference between Max-age and Expires?

Quick Answer:

  • Expires sets an expiry date for when a cookie gets deleted
  • Max-age sets the time in seconds for when a cookie will be deleted
  • Internet Explorer (ie6, ie7, and ie8) does not support “max-age”, while (mostly) all browsers support expires

Max-age vs Expires, let’s dive in a little deeper:

The expires parameter was part of the original cookies baked up by Netscape. In HTTP version 1.1, expires was deprecated and replaced with the easier-to-use max-age—instead of having to specify a date, you can just say how long the cookie can live. By setting either of these, the cookie will persist until its time runs out, otherwise—if you set neither—the cookie will last until you close your browser (a “session cookie”).

Setting a cookie for “foo=bar” to last 5 minutes, using expires:

var d = new Date();
d.setTime(d.getTime() + 5*60*1000); // in milliseconds
document.cookie = 'foo=bar;path=/;expires='+d.toGMTString()+';';

And the same with max-age:

document.cookie = 'foo=bar;path=/;max-age='+5*60+';';

Unfortunately, none of the current versions of Internet Explorer support max-age, so if you want proper cookie persistence cross-browser, then stick to expires.

Let’s open this up to some fake Q&A…

Q. What if I set both expires and max-age in a cookie?
A. Every browser that supports max-age will ignore the expires regardless of it’s value, and likewise, Internet Explorer will ignore the max-age and just use expires.

Q. What if I set just max-age in a cookie?
A. Every browser—except Internet Explorer—uses it properly. In Internet Explorer it will be a session cookie (it will be deleted when you close your browser).

Q. What if I set just expires in a cookie?
A. Every browser uses and persists it properly, just remember to set it in GMT time as seen in the example above.

Q. Where did you get these facts from?
A. I wrote a cookie persistence test page and tested it out on IE6, IE7, IE8, FF2, FF3, Safari 4, Google Chrome, and Opera 9.6. Let me know if you try it out on any other browsers or see anything contradictory.

Q. What’s the moral of this story?
A. If you care about your cookies functioning properly for a huge percentage of web users (65.66%), don’t persist your cookies “the right way” according to spec (max-age), persist them the way that works (expires).

Comments (7)

1. Mark Stosberg wrote:

Thanks for the informative post.

Posted on 25 December 2010 at 8:12 PM  |  permalink

2. Tobias Olsen wrote:

Very informative. I like your cookies persistence test page.

Posted on 14 March 2011 at 3:03 AM  |  permalink

3. Sony Santos wrote:

When I set cookie from the server, max-age is more reliable in face of clock differences beetween browser and server; so I prefer to set both expires and max-age, since best browsers will ignore expires, and expires remains as fallback in IE.

Posted on 4 October 2011 at 4:10 PM  |  permalink

4. on-road wrote:

good article , thanks , friend , I just could not found another article in china like it.

Posted on 23 December 2011 at 1:12 AM  |  permalink

5. Salman Abbas wrote:

Thanks for clearing the confusion. By the way does IE9 support it? :-)

Posted on 17 January 2012 at 1:01 PM  |  permalink

6. Sergio wrote:

Thank u, Im trying to expire my cookie after 1 minute using expires but it isn´t working in IE... Could you please help? (I guess I´m mistaking some parse or something...?)

            var date = new Date();
    var datex = new Date( date.getTime() + (60000) );
            document.cookie = 'name=value;expires='+datex;

Posted on 25 April 2012 at 6:04 AM  |  permalink

7. peter wrote:

Sergio, please look at my example above with the date.toGMTString() part.

Posted on 1 May 2012 at 11:05 PM  |  permalink

Peter Coles

Peter Coles

is a software engineer who lives in NYC, works at Hunch/eBayNYC, and blogs here.
More about Peter »

@lethys · github · hunch
rss