Will not expire/delete cookie from session when Set-Cookie only sets Max-Age=0 without Expires

[segevfiner]

1. Run the following flask app (Python 3+, Flask 1.1.0):

from flask import Flask


app = Flask(__name__)


@app.route('/set')
def set_():
    return "Set cookie", {'Set-Cookie': 'test=test; Path=/; Max-Age=3600'}


@app.route('/expire')
def expire():
    return "Expired cookie", {'Set-Cookie': 'test=test; Path=/; Max-Age=0'}

2. http --session=./session.json http://localhost:5000/set - The cookie will be set
3. http --session=./session.json http://localhost:5000/expire - The cookie will not be unset from the session file, check out its contents.

Flask does auto-set Expires when using set_cookie with only max_age, but not all web frameworks do that, and I don't think it is required by the standard.

[luckydenis]

@jakubroztocil, Good afternoon!
I found out what the problem is. We lose information about expired cookies in this place, since there is no check for the max-age parameter.

What is in the variable cookies = [{'path': '/', 'max-age': '0', 'version': '0', 'name': 'test'}]

https://github.com/httpie/httpie/blob/cf78a12e46ced68003263f4f43cee8fac720aa2c/httpie/utils.py#L112-L119

The reason why we don't have the expires variable set in the cookie is that when receiving a response, the requests library doesn't handle max-age=0.

>>> import requests
>>> r = requests.get('http://localhost:5000/expire')
>>> r.cookies
<RequestsCookieJar[]>
>>> r.headers
{'Set-Cookie': 'test=test; Path=/; Max-Age=0', 'Content-Type': 'text/html; charset=utf-8', 'Content-Length': '14', 'Server': 'Werkzeug/1.0.1 Python/3.8.7', 'Date': 'Thu, 04 Feb 2021 12:55:55 GMT'}

It seems to me that this is a bug in requests, since we lose the state of the cookies. I suggest that at the moment create a issue in requests and insert a solution in the likeness of this with the addition of a link to the issue in requests.

cookies = [
        # The first attr name is the cookie name.
        dict(attrs[1:], name=attrs[0][0])
        for attrs in attr_sets
    ]

    # issue ...
    for cookie in cookies:
        max_age = cookie.get('max-age')
        if max_age and max_age.isdigit():
            cookie['expires'] = now + float(max_age)

    return [
        {
            'name': cookie['name'],
            'path': cookie.get('path', '/')
        }
        for cookie in cookies
        if is_expired(expires=cookie.get('expires'))
    ]

[luckydenis]

Add issue for requests: psf/requests#5743