When setting a cookie in an HTTP response, if you want the cookie to never expire, you can achieve this by specifying a distant expiration time. In practice, we commonly set the Expires attribute of the cookie to a very distant future date. For example:
Set-Cookie: sessionId=38afes7a8; Expires=Wed, 21 Oct 2099 07:28:00 GMT;
In this example, the sessionId cookie is configured to expire on October 21, 2099, which can be considered as 'never expiring'.
Additionally, you can use the Max-Age attribute to define the duration in seconds that the cookie remains valid. Setting a sufficiently large value ensures the cookie persists for an extended period:
Set-Cookie: sessionId=38afes7a8; Max-Age=3153600000;
Here, Max-Age is set to 3153600000 seconds, equivalent to 100 years, making the cookie effectively 'never expiring'.
However, it's important to note that even with a very long expiration time, the user's browser or browser settings may impact cookie storage. Users can manually clear cookies, or the browser may enforce its own storage policies that limit the cookie's lifespan. Consequently, while a long expiration time provides strong persistence, we cannot guarantee permanent storage of the cookie.