Allow __VCAP_ID__ session cookie to have Max-Age>0

[hoffmaen]

• Read the Contributing document.

Summary

This Pull-Request fixes #429

With this change, we unconditionally copy the Max-Age attribute from the JSESSIONID cookie to the __VCAP_ID__ cookie, regardless of whether its value is positive or negative. Previously, the Max-Age attribute was only copied when its value was negative.

Backward Compatibility

Breaking Change? No

This Pull-Request impacts the lifecycle of the __VCAP_ID__ cookie. Previously, when a CF application set a positive Max-Age value for the JSESSIONID cookie, which defines when the cookie becomes invalid, Gorouter ignored this attribute. This caused the JSESSIONID and __VCAP_ID__ cookies to be invalidated at different times, leading to inconsistency. This Pull-Request fixes this behavior.

[maxmoehl]

To give some context I dug through all the code refactoring and subtree merges and found the commit which originally introduced this: 87a7eee. It used to be that none of the attributes of the sticky session cookie would be copied but this change introduced the copying of a negative MaxAge property that indicates that the app wants to invalidate a previous session cookie. This seems to be the main target of that commit: allow changing the sticky session by invalidating an old cookie. What this missed (and what is still in there) is that an app might invalidate the old and issue a new cookie in one go which gorouter does not support due to the break in the loop and only ever issuing one VCAP_ID cookie. @hoffmaen and I already discussed this behavior and it's also described in #529.

Edit: should've read the issue which already contains the reference 🥲