Do cookies expire on the server side or on the client/browser side?

Question

I know that if i login to a website, i get set-cookie headers with max-age/expires values, that tell when these cookies expire. Now what i want to know is, do these cookies expire on the client side? so the browser gets rid of them, OR on the server side so the server blocks/deletes them? i'm asking to see if it is possible for someone to extend the age of cookies using something like fiddler/charlesProxy.

Answer 1

Cookies on client side have expiry date and time value associated with it. After the specified date & time, browser will not honour that cookie and will skip that cookie in further HTTP(s) requests.

i'm asking to see if it is possible for someone to extend the age of cookies using something like fiddler/charlesProxy

a. If we tamper HTTP request, cookie will reach the server. (We can achieve this using fiddler/charlesProxy)

b. Alternatively, If we tamper the expiry date in browser cache, browser will start honouring it again. (We can achieve this using browser cookie editor e.g Advanced Cookie Manager)

Conclusion: We can't trust cookie’s value for time sensitive tasks. For example, session id will have timestamp associated with it only in encrypted format so that people can’t tamper it.