Cookie timeout and timezones

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I just figured out a rather puzzling problem I had with a cookie  
apparently being ignored. I had it set to timeout in 3 minutes and it  
worked fine tested on localhost, but sometimes failed when different  
machines connected. The problem was that some of my test machines had  
system clocks that weren't quite correct, and the cookie was effectively  
timing out as soon as the browser received it. There's a lesson learned. :o}

So I switched from 3 minutes to an hour, then started pondering how much  
a skewed system clock I should worry about. This is a security related  
issue for my site so I didn't want to use a session cookie. That then  
got me thinking about timezones...

Suppose my server is in London - UTC, GMT+0. I set my cookie to expire  
in 1 hour. Someone in New York (GMT-5) connects - do they get to keep  
the cookie for 6 hours? What about someone in Australia (GMT+10)? Do  
they loose their cookie as expired as soon as they see it?

I read up on the issue and decided to use session cookies with a  
timestamp in the data so I know exactly what is going on. But I'm still  
interested in the answer to the above question. Unless there's something  
going on I don't understand, it seems that cookie timeouts are not much  
use for periods less than 24 hours or so, simply because of timezone issues.

Re: Cookie timeout and timezones


Quoted text here. Click to load it

 The cookie spec states that the expiry time shall be in GMT:

 If the user has their timezone set wrong then things go wrong, but otherwise
you're only working against with their clock drift (which is hopefully in the
region of a few minutes at worst) rather than timezone offsets.

< Space: disk usage analysis tool

Site Timeline