Invalid cookie header warnings

[RickMoynihan]

We've all seen these annoying warnings for a long time. I've stumbled across a fix so recording the issue here so I can record a fix against it:

[WARN ] 2020-09-07 14:14:39.540 [nREPL-session-9ee343f0-4be9-455d-8a24-c263cdf781ef] ResponseProcessCookies - Invalid cookie header: "Set-Cookie: did=s%3Av0%3A15b9a150-f10c-11ea-a8cf-13f852d23ac2.LT1AtjEjsFfXQAuT0RHJxXHgL0iV3Ozzzg08z9kbVR8; Max-Age=31557600; Path=/; Expires=Tue, 07 Sep 2021 19:14:39 GMT; HttpOnly; Secure; SameSite=None". Invalid 'expires' attribute: Tue, 07 Sep 2021 19:14:39 GMT

[scottlowe]

@RickMoynihan A clue! 🕵🏼

I think there might be an issue with the cookie Max-Age=31557600 - probably copied from the token_lifetime value in this auth0 docs example:

https://auth0.com/docs/secure/tokens/refresh-tokens/configure-refresh-token-rotation

I believe that the Max-Age value can be no higher than 31536000 for a year in seconds (ignoring leap years etc.).

The expires part of the error could be misleading because it is likely calculated from the Max-Age. Could it be that? 🤔

https://ashton.codes/set-cache-control-max-age-1-year/

I just found a related issue in muttnik, where we were setting this value too high.

[scottlowe]

Relates to muttnik issue https://github.com/Swirrl/muttnik/issues/315