TCK: setMaxAgeZeroTest() expects different Max-Age between EE10 and EE11

[pmd1nh]

Challenged Test:
URLClient.setMaxAgeZeroTest()

TCK Version:
Servlet TCK 6.0

Tested Implementation:
Open Liberty

Description:
Version 0 Set-Cookie header expects different values in TCK Servlet 6.0 and TCK Servlet 6.1

TCK Servlet 6.0 expects the Max-Age=0 presents in the Set-Cookie response header.

TCK Servlet 6.1 does not expect the Max-Age=0 in the Set-Cookie

The change in TCK Servlet 6.1 was because of 6.0 challenge which was addressed by #583. However, PR 583 was not pulled into TCK Servlet 6.0 but TCK Servlet 6.1.

Due to these TCK differences, implemented server also has two different behaviors.

Can TCK Servlet 6.0 allow either behavior to avoid inconsistent behaviors in server b/w 6.0 and 6.1?

[pmd1nh]

@markt-asf

[markt-asf]

#493 was effectively accepted so I believe you can skip the affected test. That should allow 6.0 and 6.1 implementations to be consistent.

The 6.0 TCK is not under the (direct) control of the Servlet project. I suggest submitting a PR to the 10.0.x branch of the Platform TCK to exclude that test in https://github.com/jakartaee/platform-tck/blob/10.0.x/install/servlet/bin/ts.jtx

The platform TCK team are busy at the moment migrating to the new TCK structure. I don't know how long an updated Servlet 6.0 TCK release that includes the additional exclusion might take.

[pnicolucci]

@markt-asf any objection to marking this issue as TCK:accepted? Then we can work on a PR for the TCK.

[markt-asf]

I'd argue it is a duplicate of #493 - I'd rather any addition to the 6.0 exclusion list referenced the original issue.

[pmd1nh]

Hi @markt-asf ,

We'd like to challenge this TCK test in EE11.

The test should allow either Max-Age or Expires attribute in the Set-Cookie header.

1. From the Servlet API Cookie, there is no [g|s]etExpires(). There is also no serlvet document states that the Expires attribute should replace the Max-Age attribute
2. The Servlet API Cookie setMaxAge() does not state about replace/add Expires attribute when max-age is set to 0. (These contexts have been mentioned and acknowledged in the comments )

Servlet Container follows the Servlet Specification. If the Servlet Specification is changed to follow/reference a new RFC, those update/change behaviors need to be documented in the Servlet spec/API (for transparency and to avoid any misinterpretation).

(from https://www.rfc-editor.org/rfc/rfc6265#section-4.1.2.2

If a cookie has both the Max-Age and the Expires attribute, the Max-
   Age attribute has precedence and controls the expiration date of the
   cookie.

)

[markt-asf]

The Servlet 6.1 spec has required RFC 6265 compliance since Servlet 5.0.

RFC 6265 explicitly states (section 4.1.1)

 max-age-av        = "Max-Age=" non-zero-digit *DIGIT

It is neither reasonable nor practical for the Servlet specification to repeat the requirements of referenced specifications.

I agree the test can be excluded for the 6.0 TCK (under issue #493) but changes to the 6.0 TCK are outside the control of the Servlet project.