Cookie Expires and Max-Age attributes now have upper limit

As of Chrome release M104 (August
2022) cookies can no longer set an
expiration date more than 400 days in the future.

This change does not impact session cookies—cookies that do not explicitly set
an expiration date with Max-Age or Expires—as these are instead cleared when
the browsing session ends.

With this change, Chrome caps the expiration date to the maximum allowed value:
400 days from the time the cookie was set. Cookies that request an expiration
date further out than 400 days aren’t rejected; their expiration date is set to
400 days instead.

# Example

For example, consider a cookie set on Sunday, January 1, 2023:

# Extending cookie expiration

Want to keep your cookie alive for longer than 400 days? Developers have the
ability to extend the expiration any time the user visits the site again: by
setting a new cookie with the same name. Note that cookies may be deleted before
the expiration date for many reasons (for example, the user can manually clear
their cookies or the
per-domain cookie limit is exceeded).

# Why was this limit added?

Before this limit was added, cookies could expire millennia in the future. With
this change, we hope to strike a better balance between user expectations and
convenience. 400 days was chosen as it’s a bit over 13 months. This enables
sites visited around once a year to retain their cookies.

# Learn more

This change is part of the
draft cookies standard
and further details can be found on Chrome Platform
Status. Both
Mozilla and
WebKit
had positive feedback for the 400 day limit, though neither has implemented as
of writing.