Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1459153

Affected clients/servers:

• all RHEL 3.x and < 4.5 IPA clients which uses IPA CLI tool ipa against 4.5 server.

Functional impact:

• minor performance regression (session re-negotiation). Command itself is
  executed as expected. Except following error/"gibberish" is shown to user of
  the ipa tool:

 ipa: ERROR: unable to parse cookie header 'ipa_session=MagBearerToken=MiIjMRJW
MAl1%2bazkGlIRns2iysA7wxc%2bpSenQtZEMKXSsRAXEcnw2wHEyzOyh8RHgIm5K7YvX1k1tPotRM2
ztegX4ODAmOe26%2fP4FLu68AupejDBNmNIENfasrNhUiPowugkkRXBOD%2b%2bsGFFMUZ%2bP7AYPH
oW3bE3uN4ftRQwftE11EFTti4a9fVwB4SLKiuU&expiry=1489670819868611;Max-Age=1800;pat
h=/ipa;httponly;secure;': unsupported operand type(s) for +: 'NoneType' and
'datetime.timedelta'

It can negatively affect automation tools which uses the CLI. But mainly it
will be UX and reputation issue.

FreeIPA 4.5.0(1) server sends Set-Cookie header with Max-Age string, that is
set by SessionMaxAge directive in httpd configuration. This is part of the
header which older clients cannot parse. Older clients understand the cookie
with expiration expressed this way: Expires=time_when_cookie_expires. In this
format: Expires=Mon, 05 Jun 2017 17:10:07 GMT;

This bug is a proposal to work around the issue and change server in a way that
it won't send Max-Age string.