In the current work of the IETF http-state working group, we’re documenting how cookies work. The question came up how browsers and clients treat years in ‘expires’ strings if the year is only specified with two digits. And more precisely, is 69 in the future or in the past?
I decided to figure that out. I setup a little CGI that can be used to check what your browser thinks:
It sends a single cookie header that looks like:
Set-Cookie: testme=yesyes; expires=Wed Sep 1 22:01:55 69;
The CGI script looks like this:
print "Content-Type: text/plain\n";
print "Set-Cookie: testme=yesyes; expires=Wed Sep 1 22:01:55 69;\n";
print "\nempty?\n";
print $ENV{'HTTP_COOKIE'};
You see that it prints the Cookie: header, so if you reload that URL you should see “testme=yesyes” being output if the cookie is still there. If the cookie is still there, your browser of choice treats the date above as a date in the future.
So, what browsers think 69 is in the future and what think 69 is in the past? Feel free to try out more browsers and tell me the results, this is the list we have so far:
Future:
Firefox v3 and v4 (year 2069)
curl (year 2038)
IE 7 (year 2069)
Opera (year 2036)
Konqueror 4.5
Android
Past:
Chrome (both v4 and v5)
Gnome Epiphany-Webkit
Thanks to my friends in #rockbox-community that helped me out!
(this info was originally posted to the httpstate mailing list)
Beyond just “69”
(this section was added after my first post)
After having done the above basic tests, I proceeded and wrote a slightly more involved test that sets 100 cookies in this format:
Set-Cookie: test$yy=set; expires=Wed Oct 1 22:01:55 $yy;
When the user reloads this page, the page prints all “test$yy” cookies that get sent to the server. The results with the various browsers is very interesting. These are the ranges different browsers think are future:
- Firefox: 21 – 69 (Safari and Fennec and MicroB on n900) [*]
- Chrome: 10 – 68
- Konqueror: 00 – 99 (and IE3, Links, Netsurf, Voyager)
- curl: 10 – 70
- Opera: 41 – 69 (and Opera Mobile) [*]
- IE8: 31 – 79 (and slimbrowser)
- IE4: 61 – 79 (and IE5, IE6)
- Midori: 10 – 69 (and IBrowse)
- w3m: 10 – 37
- AWeb: 10 – 77
- Nokia 6300: [none]
[*] = Firefox has a default limit of 50 cookies per host which is the explanation to this funny range. When I changed the config ‘network.cookie.maxPerHost’ to 200 instead (thanks to Dan Witte), I got the more sensible and expected range 10 – 69. Opera has the similar thing, it has a limit of 30 cookies by default which explains the 41-69 limit in this case. It would otherwise get 10-69 as well. (thanks to Stanislaw Adrabinski). I guess that the IE8 range is similarly restricted due to it using a limit of 50 cookies per host and an epoch at 1980.
I couldn’t help myself from trying to parse what this means. The ranges can roughly be summarized like this:
0-9: mostly in the past
10-20: almost always in the future except Firefox
21-30: even more likely to be in the future except IE8
31-37: everyone but opera thinks this is the future
38-40: now w3m and opera think this is the past
41-68: everyone but w3m thinks this is the future
69: Chrome and w3m say past
70: curl, IE8, Konqueror say future
71-79: IE8 and Konqueror say future, everyone else say past
80-99: Konqueror say future, everyone else say past
How to test a browser near you:
- goto http://daniel.haxx.se/cookie2.cgi
- reload once
- the numbers shown on the screen is the year numbers the browsers consider
to be the future as described above
Interesting differences — but really, if you code so that this would actually present an issue, then you deserve issues. because your code. has. issues.
Nobody said anything else. The fact remains that the world is packed with cookies that get sent with 2-digit year numbers. How is a cookie parser supposed to convert them into an actual year?
We’ve discussed this a lot on the http-state mailing list and now I finally did a check how a lot of different browsers do it.