For a holiday project I'm enhancing Cookiemaster to be able to force cookies for your choice of domains to be Session (transient, go away when you close the browser) rather than persistent. In doing so, I found it wasn't parsing the date in 'Expires' correctly, and in discovering why, I found the horror that is the Date format as specified in the RFC.
Specifically, I mean https://tools.ietf.org/html/rfc6265#section-5.1.1. Feel free to go read, ponder and digest it. If you need somewhere to scream, I recommend you do so in the shower. The acoustics of the average bathroom are excellent for such activities.
If you don't want to read it in full (and frankly, I don't blame you), I draw your attention to the 'delimiter' definition:
delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E
One or more delimiters can appear between any of the meaningful parts (e.g. day, month, hour, second etc). For those who don't have an ascii table handy (or memorised; I'm looking at you, lurbs), the set of characters that can be delimiters is:
!"#$%&'()*+,-./;<=>?@[\]^_`{\}~
as well as a space, and a hard tab (%x09). This is absurd, IMO. This means that the following is a perfectly valid date to include as the Expires value of a cookie:
Tue!#01&Jan<2019?00:24:20}GMT
I mean, it's parseable in only one way, so is perfectly fine for a machine. But it is still absurd.
Thankfully, the splendid people at Salesforce have published javascript code for parsing this abominable format already, so I didn't have to do it myself: https://github.com/salesforce/tough-cookie/blob/master/lib/cookie.js#L152
I am eternally grateful, while also still being just a little bit saddened that this is necessary. ISO8601 fo' lyfe, yo.