I’ve just run into the issue with misleading, or at least incomplete documentation related to HTTP Cookie representation in J2EE. Cookie class JavaDoc states that Cookie.setMaxAge(int) method “ Sets the maximum age of the cookie in seconds.” That’s not true, unfortunately. Cookies, as we know, don’t hold info about their max age. They hold the date/time value of their expected expiration. So, instead of setting the max age for a cookie, this setMaxAge method adds the int parameter seconds to the current SERVER date/time and puts this new date/time value to a cookie as its expiration time. Later, when this cookie is sent to the browser, this expiration date is compared to the CLIENT date/time, and cookie gets expired if its expiration date is in past. All this means that setMaxAge method description is valid in just one case: all clients are run on the same machine with the server, or at least have their system time synchronized with the server. Rather idealistic, isn’t it. There are lots of computers with system time that is in the past. If you’d really like to rely on a cookie expiring after a defied period then a different approach should be taken, the brand new System and Method for Defining a Cookie Max Age 🙂 So, if you’d like your cookie to expire in definite time you will need another cookies to hold the cookie ‘meta-information’. To make sure that cookie ‘cookie1’ having value ‘someValue’ will expire in, say, 20 seconds, in your servlet or servlet filter you could do: response.addCookie(new Cookie("cookie1Name","cookie1")); response.addCookie(new Cookie("cookie1Value","someValue")); response.addCookie(new Cookie("cookie1Timeout","20")); Then, add the next JavaScript on the page that the servlet produces: <script type="text/javascript"> // Original JavaScript code by Chirp Internet: <a href="https://www.chirp.com.au">www.chirp.com.au</a> // Please acknowledge use of this code by including this header. function getCookie(name) { var re = new RegExp(name + "=([^;]+)"); var value = re.exec(document.cookie); return (value != null) ? unescape(value[1]) : null; } function setCookie(name, value, expiry) { document.cookie = name + "=" + escape(value) + "; expires=" + expiry.toGMTString() + "; path=/"; } var cookie1Name = getCookie('cookie1Name'); var cookie1Value = getCookie('cookie1Value'); var cookie1Timeout = Math.abs(getCookie('cookie1Timeout')) * 1000; // converting to milliseconds setCookie(cookie1Name, cookie1Value, new Date((new Date()).getTime()+cookie1Timeout)); </script> This will result in a cookie1 to expire in 20 seconds. Awkward, but it works. Unfortunately this approach will not work for Cookies that are set during AJAX calls, as there will be no possibility to run a custom JavaScript in this case. Software Development