OK, this isn't strictly speaking a quixote question, but I have this same
problem with quixote's session management, so it's tangentially related.

I read RFC 2109 and thought I understood it, but either I'm missing something
really dumb or the implementations of the browsers I'm using only vaguely
resemble 2109.

My first question is: does Max-Age work?  So far I have been unable to find
a browser in which it does.


Netscape is 4.7, Mozilla is 1.0, and IE is 6.lots of numbers.

Using max-age, e.g. 'Set-Cookie: tcookie=blah; max-age=5':

Mozilla accepts the cookie (includes it in subsequent requests), but never
expires the cookie unless I explicitly cancel it by sending max-age=0.

Netscape accepts the cookie, but ignores max-age entirely: no expiration
is possible at all.

IE accepts the cookie, but is like Netscape 4: it won't expire it.

Using expires, e.g.
    'Set-Cookie: tcookie=blah; expires=Tue, 25-Jun-2002 19:01:09 GMT':

IE doesn't even accept the cookie.

Mozilla accepts, but never expires the cookie unless I explicitly cancel it by
sending an expires=some time in the past.

Netscape works as expected (accepts cookie, expires at indicated time).



Second question is: what's the deal with quotes in values?  The RFC gives
an example cookie as
'Set-Cookie: Customer="WILE_E_COYOTE"; Version="1"; Path="/acme", but under
Mozilla at least, it *includes* the quotes in the path, and hence never sends
the cookie back unless you have some funny looking paths.  This explicitly
violates the RFC, based on my reading:

    value           =       word
    word            =       token | quoted-string

From all the trumpeting about "standards compliance" for Mozilla, I sort of
expected that at it at least would behave according to expectation, but
apparently not.  Maybe my expectations need adjusting...