Response: setCookie() sends the Max-Age attribute

Adds Max-Age next to expires - Max-Age takes precedence over expires (RFC 6265)
and, unlike expires, does not depend on the client clock; expires is kept for
ancient clients. This is something setcookie()'s options array could not control.

A non-positive number of seconds clamps Max-Age to 0 (immediate deletion), so
deleteCookie() now performs a real deletion (a past time => Max-Age=0) instead
of setting a session cookie with an empty value.

Author: dg

src/Http/Response.php

@@ -253,9 +253,10 @@ public function setCookie(
 		}
 
 		$seconds = Helpers::expirationToSeconds($expire);
-		// the value is raw-url-encoded the same way PHP reads it back from $_COOKIE
+		// the value is raw-url-encoded the same way PHP reads it back from $_COOKIE;
+		// Max-Age takes precedence over expires (RFC 6265), expires is sent too for ancient clients
 		$cookie = $name . '=' . rawurlencode($value)
-			. ($seconds === null ? '' : '; expires=' . Helpers::formatDate(time() + $seconds))
+			. ($seconds === null ? '' : '; expires=' . Helpers::formatDate(time() + $seconds) . '; Max-Age=' . max(0, $seconds))
 			. '; path=' . ($path ?? ($domain ? '/' : $this->cookiePath))
 			. (($domain = $domain ?? ($path ? '' : $this->cookieDomain)) === '' ? '' : '; domain=' . $domain)
 			. (($secure ?? $this->cookieSecure) ? '; secure' : '')
@@ -277,7 +278,7 @@ public function deleteCookie(
 		?bool $secure = null,
 	): void
 	{
-		$this->setCookie($name, '', null, $path, $domain, $secure);
+		$this->setCookie($name, '', -1, $path, $domain, $secure); // a past time => Max-Age=0 => delete now
 	}
 
 

tests/Http/Response.setCookie.phpt

@@ -70,12 +70,19 @@ $headers = array_values(array_diff(headers_list(), $old, ['Set-Cookie:']));
 Assert::same(['Set-Cookie: test=f; path=/; domain=example.org; HttpOnly; SameSite=Lax'], $headers);
 
 
-// a future expiration sets the expires attribute
+// a future expiration sets Max-Age (and expires for ancient clients)
 $response = new Http\Response;
 $old = headers_list();
 $response->setCookie('test', 'value', 3600);
 $headers = array_values(array_diff(headers_list(), $old, ['Set-Cookie:']));
-Assert::match('Set-Cookie: test=value; expires=%a%; path=/; HttpOnly; SameSite=Lax', $headers[0]);
+Assert::match('Set-Cookie: test=value; expires=%a%; Max-Age=3600; path=/; HttpOnly; SameSite=Lax', $headers[0]);
+
+
+// deleteCookie sends Max-Age=0 (immediate deletion)
+$old = headers_list();
+$response->deleteCookie('test');
+$headers = array_values(array_diff(headers_list(), $old, ['Set-Cookie:']));
+Assert::match('Set-Cookie: test=; expires=%a%; Max-Age=0; path=/; HttpOnly; SameSite=Lax', $headers[0]);
 
 
 // the value is percent-encoded, the name is kept verbatim (incl. [] for array cookies)