Client side javascript max cookie expiry?

After finding myself having to acknowledge cookie consent quite often on sites that I frequently visit, I became curious and started to experiment a little with client side javascript. This revealed that any attempt to create a cookie using client side javascript with an expiry date/time longer than seven days in the future hits a barrier. The calls to document.cookie() complete successfully, but any attempt to use “expires=” or “max-age=” with a date beyond seven days from now results in a seven day expiry. Is this a known limitation, a javascript bug, or caused by something else?

I have seen this in Brave, both on my Windows machine and on my IPad, and the same thing happens with Opera too. I know my Windows (7) is outdated, but this started to happen long before the outdated version warning was a thing. My IPad runs the latest IPad OS and the latest Brave version, so it must be something else at play here.

Apparently there was a change in chrome related to expires/max-age, so perhaps that might have something to do with it? (but seven is a lot less than 400, so maybe not)

EDIT: Just for fun I installed Edge on Win 7 - lo and behold, in Edge, the cookie expiry beyond seven days works as expected! :thinking:
EDIT 2: Just tried Google Chrome on Win 7, and cookie expiry beyond seven days works fine there too.

1 Like

@jek6094 I know nothing about this issue. Just posting a Brave GitHub issue report that may be related (or not). Limit JS set cookie lifetime to 7 days #3443

Seems there was a recent regression that was fixed in 1.45.x. Expiry of JS cookie is capped at 6 months instead of 7 days #15048

You may also be interested in this Brave article. Blocking annoying and privacy-harming cookie consent banners

If nothing else, this bumps your topic! Take care. :slightly_smiling_face:


Thanks for the info @Chocoholic ! :+1:t2: This explains why Brave behaves the way it does. I suppose all web sites storing cookie consent using client side javascript is doing it all wrong then. Or maybe not wrong, but it would definitely be better through a set-cookie response header since server set cookies seem to have a six month lifespan cap.