nginx add_header Set-Cookie expires not working

The above configuration will result in two Set-Cookie headers set in response sent to the client.

Set-Cookie: lcid=1043Set-Cookie: expires=60

"Expires" is a cookie attribute which should be present in the header where you are setting the cookie name and value. Also one more point to note here is that the Expires attribute of the cookie only takes a fixed time stamp (Ex : Expires=Wed, 21 Oct 2015 07:28:00 GMT) and not the duration. If you need to specify the validity of the cookie in terms of duration then you need to set the Max-Age attribute instead of Expires.

So you need to change your configuration to have only one add_header directive which looks like below

add_header Set-Cookie "lcid=1043; Max-Age=60";

This will make sure that client receives only one Set-Cookie header in the response with the appropriate expiry value set as specified in the Max-Age attribute of the cookie.

Found out that this can be done upstream directly from Wordpress.

Add the following lines to the top of wp-config.php:

@ini_set('session.cookie_httponly', true);@ini_set('session.cookie_secure', true);@ini_set('session.use_only_cookies', true);

Then restart Wordpress.