The important "expires" attribute of Set-Cookie
The Established Assumption It has been widely known about the "expires" attribute of Set-Cookie HTTP Response header in the following way. Taken from OWASP Testing Guide: https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002) *expires - This attribute is used to set persistent cookies, since the cookie does not expire until the set date is exceeded. This persistent cookie will be used by this browser session and subsequent sessions until the cookie expires. Once the expiration date has exceeded, the browser will delete the cookie. Alternatively, if this attribute is not set, then the cookie is only valid in the current browser session and the cookie will be deleted when the session ends. The Truth Although setting without "expires" attribute is acceptable at first sight because of the browser's automatic cookie clean-up management, the cookie will stay active until the user manually closes the whole browser window, i.