GEP 1619: distinguish 'session' cookies.

[costinm]

The current spec defines expiration for the cookie - and mentions the Expiry attribute of the cookie ( which seems to suggest that the expiration will be based on Expiry header or have an expiration based on the server settings ).

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies defiles 'session cookies' as cookies without an Expires or max-age -

https://gdpr.eu/cookies/ also defines "session cookies" as 'expire when closing the browser or session ends" and has different requirements ("While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.")

What would you like to be added:

We should add an explicit field to indicate 'session cookies' - they may still have a shorter expiration, but will be based on the content of the cookie and not the "Expiry" attribute.

Alternative: remove the references to "Expiry" cookie attribute and document that only 'session cookies' are supported. For the use cases discussed ( load balancer stickiness), very long persistent cookies do not help anyways - they are used for long-term user login and tracking.

Why this is needed:

To avoid ambiguity and confusion between the 2 kinds of cookies.