Cookies not able to be deleted by setting max-age to 0

[allen-chao]

To help us debug your issue fill in the basic information below using the options provided

Serverless Java Container version: com.amazonaws.serverless:aws-serverless-java-container-springboot3:2.0.0

Implementations: Spring Boot 3

Framework version: eg SpringBoot3 2.0.0

Frontend service: REST API / ALB

Deployment method: SAM

Scenario

When calling servletResponse.addCookie method with max-Age set to 0, cookies are not getting deleted.

Expected behavior

Max-Age 0 is a valid value for cookies to expire immediately and a common way to delete cookies.

Actual behavior

Cookies are being set to session cookies instead of getting deleted. Had to do a workaround to set max-Age to 1 and have it expire after 1 second.

Source code that causes this issue

Steps to reproduce

1. Call servletResponse.addCookie(Cookie(name, value, 0, domain)) method
2. Check cookies from application section in browser developer console.
3. Cookies that are intended to be deleted will show as session cookies and not getting deleted

Full log output

I am running a project that cannot be shared on public github

[deki]

Thanks for the issue report. For stateless serverless web applications cookies are usually not being used but we can fix it anyway.

Are you willing to submit a PR to make the code more compliant with RFC 6265? Example implementation: https://github.com/apache/tomcat/blob/main/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java#L106

[leekib]

@deki Would it be okay if I work on updating code to comply with RFC 6265 and submit a PR?

[deki]

@2012160085 absolutely, contributions are always welcome!

[deki]

Fixed as part of the 2.1.0 release.