From 315698b50eaa964fd1b5e50d162cb27bdd54cb4d Mon Sep 17 00:00:00 2001
From: Juergen Hoeller <jhoeller@pivotal.io>
Date: Tue, 17 Jan 2017 15:33:30 +0100
Subject: [PATCH] Clarified cookieMaxAge default

Issue: SPR-15155
(cherry picked from commit 874b653)
---
 .../springframework/web/util/CookieGenerator.java   | 13 ++++++++-----
 src/asciidoc/web-mvc.adoc                           |  2 +-
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/spring-web/src/main/java/org/springframework/web/util/CookieGenerator.java b/spring-web/src/main/java/org/springframework/web/util/CookieGenerator.java
index 9e3ba5c08ba..59f5b226802 100644
--- a/spring-web/src/main/java/org/springframework/web/util/CookieGenerator.java
+++ b/spring-web/src/main/java/org/springframework/web/util/CookieGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2017 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -55,7 +55,7 @@ public class CookieGenerator {
 
 	private String cookiePath = DEFAULT_COOKIE_PATH;
 
-	private Integer cookieMaxAge = null;
+	private Integer cookieMaxAge;
 
 	private boolean cookieSecure = false;
 
@@ -111,7 +111,9 @@ public class CookieGenerator {
 
 	/**
 	 * Use the given maximum age (in seconds) for cookies created by this generator.
-	 * Useful special value: -1 ... not persistent, deleted when client shuts down
+	 * Useful special value: -1 ... not persistent, deleted when client shuts down.
+	 * <p>Default is no specific maximum age at all, using the Servlet container's
+	 * default.
 	 * @see javax.servlet.http.Cookie#setMaxAge
 	 */
 	public void setCookieMaxAge(Integer cookieMaxAge) {
@@ -128,7 +130,8 @@ public class CookieGenerator {
 	/**
 	 * Set whether the cookie should only be sent using a secure protocol,
 	 * such as HTTPS (SSL). This is an indication to the receiving browser,
-	 * not processed by the HTTP server itself. Default is "false".
+	 * not processed by the HTTP server itself.
+	 * <p>Default is "false".
 	 * @see javax.servlet.http.Cookie#setSecure
 	 */
 	public void setCookieSecure(boolean cookieSecure) {
@@ -145,7 +148,7 @@ public class CookieGenerator {
 
 	/**
 	 * Set whether the cookie is supposed to be marked with the "HttpOnly" attribute.
-	 * <p>Note that this feature is only available on Servlet 3.0 and higher.
+	 * <p>Default is "false".
 	 * @see javax.servlet.http.Cookie#setHttpOnly
 	 */
 	public void setCookieHttpOnly(boolean cookieHttpOnly) {
diff --git a/src/asciidoc/web-mvc.adoc b/src/asciidoc/web-mvc.adoc
index 6e33695e6ac..511af9759f7 100644
--- a/src/asciidoc/web-mvc.adoc
+++ b/src/asciidoc/web-mvc.adoc
@@ -3518,7 +3518,7 @@ maximum age. Find below an example of defining a `CookieLocaleResolver`.
 | The name of the cookie
 
 | cookieMaxAge
-| Integer.MAX_INT
+| Servlet container default
 | The maximum time a cookie will stay persistent on the client. If -1 is specified, the
   cookie will not be persisted; it will only be available until the client shuts down
   their browser.