Set-Cookie: Expire property, clock skew and Internet Explorer issue

Question

There is a header Max-Age that allows to specify the expiration time of a cookie. Unfortunately Internet Explorer 6, 7, 8 and probably later do not support Max-Age and require Expires header with an absolute date in GMT.

It is not uncommon that GMT time and TZ settings on specific client may be incorrect. Consider user that had not defined his time zone correctly and adjusts the clock manually.

More than that, sometimes there may be a significant clock skew of many minutes that the user is unaware of them.

In such a case its GMT time may be shifted up to several hours. Effectively it would prevent from a server to set any cookie that requires short expiration time. Consider a cookie that has maximal age of 10 minutes would never be set if TZ is incorrect.

Original ideas on how to solve the problem (that does not work or problematic):

1. Of course the best is to use Max-Age or even specify both as all browsers would ignore "Expire" part - but it does not work in IE
2. Another way I thought of is setting Date: header hopefully the IE would know to calculate the difference to work around clock skew... But it does not help IE.
3. Get the time from the client upon the request (using JavaScript) and than calculate the clock difference and then adjust Expire header as needed. However it requires complex data manipulation including some way to submitting the time to the server.

Questions:

1. What is the best and the common practice to handle Expire time for cookies in IE?
2. How do you do it in your applications

Answer 1

• Set Max-Age as everyone but Microsoft understands it.
• Add Javascript that runs only on IE to convert Max-Age to UTC according to the browser's clock and set that expiration time on the cookie. Note that JavaScript cannot read the Max-Age set in the cookie, so you will have to provide that information (along with any other options) to the JavaScript some other way.

From QuirksMode

function readCookie(name) {
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++) {
    var c = ca[i];
    while (c.charAt(0)==' ') c = c.substring(1,c.length);
    if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}

Then after you get the cookie name and maxAge and otherOptions (e.g. path, domain) from somewhere:

var date = new Date();
date.setTime(date.getTime() + (maxAge * 1000));
document.cookie = name + "=" + readCookie(name) + 
    '; expires=' + date.toUTCString() + otherOptions

Answer 2

What i did was to shift the time keeping to server side.You can never be sure of the time in client side, but you know your server never lies.

• You keep the time that the first request happened on the server(keep server time when you send data per client), and you set a cookie with a max date expiration i.e. :01/01/2900.
• You keep track of that time and in lets say 10 minutes server time you decide its time to kill it.
• You then set the cookie to have the min date then. i.e. 01/01/1900. Deleting cookies :
  http://msdn.microsoft.com/en-us/library/ms178195(v=vs.100).aspx

Answer 3

If I had this sort of requirement I would manage the cookies in my application. Include a server-time expires timestamp in the content of the cookie, secure the cookie with encryption or a hash, and reject the cookie if the timestamp in the cookie has passed.

This is pretty much how auto-login cookie expiration is enforced.

Answer 4

Just FYI, IE 11 supports Max-Age on cookies starting with version 11.0.15063.0.

I cannot find any documentation from Microsoft to report this, but during development we discovered our local version of IE was working, but customers was not. We narrowed it down to a difference in IE version and the Max-Age property on cookies.