document last changes and add some tests

Author: rbri

src/changes/changes.xml

@@ -8,6 +8,9 @@
 
     <body>
         <release version="5.0.0" date="April 01, 2026" description="jdk17, Bugfixes">
+            <action type="fix" dev="Lai Quang Duong">
+                Align cookie max-age handling for huge values with the spec.
+            </action>
             <action type="fix" dev="rbri">
                 Intl: fix toStringSymbol for Intl, Collator, DateTimeFormat, Locale, and NumberFormat.
             </action>

src/main/java/org/htmlunit/http/CookieParser.java

@@ -25,6 +25,7 @@
 import java.util.Date;
 import java.util.List;
 import java.util.Locale;
+import java.util.regex.Pattern;
 
 import org.htmlunit.BrowserVersion;
 import org.htmlunit.util.StringUtils;
@@ -55,6 +56,12 @@ public final class CookieParser {
         "EEE, dd MMM yy HH:mm:ss z"         // Variant
     };
 
+    // Max-Age should be 400 days at most
+    // https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#section-5.5
+    private static final int MAX_MAX_AGE = 400 * 24 * 60 * 60;
+
+    private static final Pattern MAX_AGE_PATTERN = Pattern.compile("-?[0-9]+");
+
     private CookieParser() {
         // Utility class
     }
@@ -261,11 +268,19 @@ private static Integer parseMaxAge(final String maxAgeString) throws MalformedCo
             return null;
         }
 
+        if (!MAX_AGE_PATTERN.matcher(maxAgeString).matches()) {
+            throw new MalformedCookieException("Invalid 'max-age' attribute: '" + maxAgeString + "'");
+        }
+
+        if (maxAgeString.startsWith("-")) {
+            return -1;
+        }
+
         try {
-            return Integer.parseInt(maxAgeString);
+            return Math.min(Integer.parseInt(maxAgeString), MAX_MAX_AGE);
         }
         catch (final NumberFormatException e) {
-            throw new MalformedCookieException("Invalid max-age value: " + maxAgeString);
+            return MAX_MAX_AGE;
         }
     }
 

src/test/java/org/htmlunit/CookieManagerTest.java

@@ -505,6 +505,38 @@ public void cookieMaxAge_negativeDeletes() throws Exception {
         verifyTitle2(getWebDriver(), getExpectedAlerts()[1]);
     }
 
+    /**
+     * @throws Exception if the test fails
+     */
+    @Test
+    @Alerts({"first=1", ""})
+    public void cookieMaxAge_moreThan400Days() throws Exception {
+        final String moreThan400Days = "" + ((400 * 24 * 60 * 60) + 60);
+
+        List<NameValuePair> responseHeader1 = new ArrayList<>();
+        responseHeader1.add(new NameValuePair("Set-Cookie", "first=1;max-age=" + moreThan400Days));
+        getMockWebConnection().setResponse(URL_FIRST, HTML_ALERT_COOKIE, 200, "OK", MimeType.TEXT_HTML,
+                responseHeader1);
+
+        loadPage2(URL_FIRST, StandardCharsets.ISO_8859_1);
+        verifyTitle2(getWebDriver(), getExpectedAlerts()[0]);
+    }
+
+    /**
+     * @throws Exception if the test fails
+     */
+    @Test
+    @Alerts({"first=1", ""})
+    public void cookieMaxAge_long() throws Exception {
+        List<NameValuePair> responseHeader1 = new ArrayList<>();
+        responseHeader1.add(new NameValuePair("Set-Cookie", "first=1;max-age=99999999999"));
+        getMockWebConnection().setResponse(URL_FIRST, HTML_ALERT_COOKIE, 200, "OK", MimeType.TEXT_HTML,
+                responseHeader1);
+
+        loadPage2(URL_FIRST, StandardCharsets.ISO_8859_1);
+        verifyTitle2(getWebDriver(), getExpectedAlerts()[0]);
+    }
+
     /**
      * @throws Exception if the test fails
      */

src/test/java/org/htmlunit/http/CookieParserTest.java

@@ -112,7 +112,7 @@ public void testCookieWithBlankName() throws Exception {
     }
 
     /**
-     * Test parsing a cookie with whitespace. 
+     * Test parsing a cookie with whitespace.
      */
     @Test
     public void testCookieWithWhitespace() throws Exception {
@@ -200,7 +200,7 @@ public void testCookieWithSameSite() throws Exception {
     }
 
     /**
-     * Test parsing a cookie with SameSite=Lax. 
+     * Test parsing a cookie with SameSite=Lax.
      */
     @Test
     public void testCookieWithSameSiteLax() throws Exception {
@@ -212,7 +212,7 @@ public void testCookieWithSameSiteLax() throws Exception {
     }
 
     /**
-     * Test parsing a cookie with SameSite=None. 
+     * Test parsing a cookie with SameSite=None.
      */
     @Test
     public void testCookieWithSameSiteNone() throws Exception {
@@ -285,6 +285,31 @@ public void testCookieWithMaxAgeNegative() throws Exception {
         assertNull(cookie.getExpires());
     }
 
+    /**
+     * Test parsing a cookie with max-age more than 400 days.
+     */
+    @Test
+    public void testCookieWithMaxAgeTooBig() throws Exception {
+        final String moreThan400Days = "" + ((400 * 24 * 60 * 60) + 60);
+        final List<Cookie> cookies = parseCookie("name=value; max-age=" + moreThan400Days);
+
+        assertEquals(1, cookies.size());
+        final Cookie cookie = cookies.get(0);
+        assertNotNull(cookie.getExpires());
+    }
+
+    /**
+     * Test parsing a cookie with max-age that does not fit into an integer
+     */
+    @Test
+    public void testCookieWithMaxAgeLong() throws Exception {
+        final List<Cookie> cookies = parseCookie("name=value; max-age=99999999999");
+
+        assertEquals(1, cookies.size());
+        final Cookie cookie = cookies.get(0);
+        assertNotNull(cookie.getExpires());
+    }
+
     /**
      * Test parsing a cookie with all attributes.
      */
@@ -462,7 +487,7 @@ public void testCookieWithVersion() throws Exception {
     }
 
     /**
-     * Test parsing cookie with invalid max-age. 
+     * Test parsing cookie with invalid max-age.
      */
     @Test
     public void testCookieWithInvalidMaxAge() {