Why isn't the `set-cookie` header's `expires` field RFC conform?

Hey all,

Rails (or some used module) uses Time.gmtime.rfc2822 for the expires field. That looks something like this

Mon, 30 Jan 2017 22:37:51 -0000

But following the cookie RFC not RFC 2822 but RFC 2616 should be used. The most used format is the one defined by RFC 1233 (also according to MDN). That looks like this

Mon, 30 Jan 2017 22:37:51 GMT

Some background information:

I’m running ruby 2.4.0, rails 5.0.1

I ran into this while debugging a rally strange bug I faced today.:

Im setting a cookie like this in a redirect response

cookies[:remember_token] = {
  :value => remember_token,
  :expires => 1.day.from_now,
  :httponly => true
}

``

But Chromium 53.0.2785.143 simply ignores it when set in dev environment (i.e. from localhost). It works on deployment server though (maybe because it’s using https?).

Locally it also breaks using

  :expires => 9.months.from_now,

``

but super strangely works using

  :expires => 10.months.from_now,

The issue also resolves when not using en expiration date at all.

On Opera all versions work.

I thought this might be related to the time format (just because I have no further ideas).

Any thoughts on this? Is it worth opening an issue und GitHub? Do you have an idea how to fix?