Case:
Client makes request to server1. Server1 will set cookie mycookie=myvalue;Max-Age=0;Expire=session. Then server1 makes HTTP Redirect to server2. Server2 does its work and makes HTTP redirect back to server1. And this time, I see that Cookie: mycookie=myvalue is included. How is that possible? Max-Age = 0 will always takes priority over Expire = session. HTTP redirect that was made first time still reaches browser and therefore cookie was stored on client side and due to Max-Age = 0 should be immediately deleted.
Or I misunderstood something?
It is impossible. The behaviour should be exactly as you expected it to be. I would propose that there could be some specific about server you use and how it handles cookies with such attributes. Which server do you use?