Jetty version(s)
12.1.x

Description
Currently, a negative Max-Age attribute is parsed by RFC6265SetCookieParser, then passed to HttpCookie.Builder.attribute(), then to HttpCookie.Builder.maxAge(), that removes the attribute from the attribute map.

This is mostly transparent, except when the Max-Age attribute is negative and not -1:

Set-Cookie: A=B; max-age=-2

cookie.getMaxAge() == -1;
cookie.getAttributes().size() == 0;

There is value in being able to distinguish the case "no Max-Age attribute" from "Max-Age attribute present with negative value".

About interpreting negative Max-Age values, RFC 6265 states that the cookie should be considered expired, but browsers, Java's HttpClient and HttpCookie classes, and Jakarta's Cookie class all agree to consider it a "session cookie" that is not expired, but won't be persisted, and will be removed as the browser or client is closed or stopped.