I have a use case for controlling what set-cookie response headers can look like. In short, the use case is a mock server that can inject faults into response headers and bodies to see how a system under test will respond.

I do not (currently) see a way to:

• Set the SameSite=Strict attribute for a cookie. The atom in the typedef isn't there today.
• Set the date format used by Expires attribute when used in conjunction with max_age.

ref: https://ninenines.eu/docs/en/cowboy/2.10/guide/cookies/

I realize cookies have a few different specifications; and am curious what your thoughts on how best to support these asks without requiring too much effort on your part.

Thanks as always!

Update:

I was able to inject the cookie I wanted by directly manipulating the request map:

req1 = req0 |> Map.merge(
      %{:resp_cookies =>
        %{
          "rando_cookie" => [
            "rando_cookie",
            "=",
            "c9d72ff8-696b-4931-9188-b1def6f8c000",
            ["; Path=", "/", "; Domain=", ".rando.domain", "; Secure", "; Expires=",
            "Wed, 06 Mar 2024 04:44:54 GMT", "; Max-Age=", ~c"31536", "; HttpOnly; SameSite=Strict"]
          ]
        }
      }
    )

Directly manipulating is the way to go for such purposes.

Note that cookies do accept strict (https://ninenines.eu/docs/en/cowlib/2.12/manual/cow_cookie/). A PR updating the guide is welcome.

The Expires attribute in Cowboy can be read but not written. This is on purpose. Cowboy will currently calculate the Expires value based on the max_age you provide and set it; but at a later time the Expires value will be removed as it is on the way out. https://github.com/ninenines/cowlib/blob/master/src/cow_cookie.erl#L363-L369

I can prob send you a PR for the doc update. Thanks for the quick response!