Expires and Max-Age are both attributes used to control Cookie expiration time, but they differ in implementation and behavior.
Expires attribute
Features
- Uses absolute time (GMT format)
- Specifies the specific expiration date and time of the Cookie
- Better compatibility, supports older browsers
Syntax
// Set Expires const expires = new Date(); expires.setDate(expires.getDate() + 7); // Expires in 7 days document.cookie = "token=abc; Expires=" + expires.toUTCString(); // Complete example document.cookie = "token=abc; Expires=Wed, 09 Jun 2026 10:18:14 GMT; Path=/";
Important notes
- Time format must be UTC (GMT)
- If the set time is earlier than the current time, Cookie is immediately deleted
- Client and server time desynchronization may cause issues
Max-Age attribute
Features
- Uses relative time (in seconds)
- Specifies the validity period of the Cookie from creation
- More modern attribute, higher priority than Expires
Syntax
// Set Max-Age (unit: seconds) document.cookie = "token=abc; Max-Age=3600"; // Expires in 1 hour // Complete example document.cookie = "token=abc; Max-Age=86400; Path=/"; // Expires in 1 day
Special values
Max-Age=0: Delete Cookie immediatelyMax-Ageis negative: Delete Cookie immediately- No Max-Age set: Session Cookie, deleted when browser closes
Comparison
| Feature | Expires | Max-Age |
|---|---|---|
| Time type | Absolute time | Relative time |
| Unit | Date-time string | Seconds |
| Priority | Low | High |
| Compatibility | All browsers | Modern browsers |
| Timezone issue | Yes | No |
Priority rules
// When both are set, Max-Age takes precedence document.cookie = "token=abc; Expires=Wed, 09 Jun 2026 10:18:14 GMT; Max-Age=3600"; // Cookie will expire in 1 hour, not the specified date
Use cases
- Session Cookie
// No expiration time set document.cookie = "sessionId=abc"; // Deleted when browser closes
- Short-term Cookie
// Using Max-Age is clearer document.cookie = "tempToken=abc; Max-Age=1800"; // 30 minutes
- Long-term Cookie
// Using Expires is more intuitive const expires = new Date(); expires.setFullYear(expires.getFullYear() + 1); document.cookie = "rememberMe=true; Expires=" + expires.toUTCString();
- Delete Cookie
// Method 1: Set past Expires document.cookie = "token=abc; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/"; // Method 2: Set Max-Age=0 document.cookie = "token=abc; Max-Age=0; Path=/";
Best practices
- Prefer Max-Age
// Recommended document.cookie = "token=abc; Max-Age=3600"; // Not recommended (unless need to support old browsers) document.cookie = "token=abc; Expires=" + new Date(Date.now() + 3600000).toUTCString();
- Compatibility handling
function setCookieWithExpiry(name, value, seconds) { let cookieString = `${name}=${value}`; // Prefer Max-Age if (typeof seconds === 'number') { cookieString += `; Max-Age=${seconds}`; } else { // Fallback to Expires const expires = new Date(); expires.setSeconds(expires.getSeconds() + seconds); cookieString += `; Expires=${expires.toUTCString()}`; } document.cookie = cookieString; }
- Security considerations
- Use short expiration times for sensitive information
- Use long expiration times for "remember me" functionality
- Regularly rotate Tokens and update expiration times
Real-world application example
// Set Cookie after successful login function setLoginCookie(token, rememberMe) { const options = { httpOnly: true, secure: true, sameSite: 'strict', path: '/' }; if (rememberMe) { // Remember me: 30 days options.maxAge = 30 * 24 * 60 * 60; } else { // Don't remember: 1 hour options.maxAge = 60 * 60; } // Server-side setting (Node.js Express example) res.cookie('authToken', token, options); }