2

We delete our cookies like adviced on php.net and on several SO questions (Remove a cookie):

setcookie('id', '', time() - 3600, "/", "", false, true);

If we analyse this solution, it does not look to work when the timezone difference between the server and the browser is over 1 hour (traveling users, different time zone, computer clock issue, OS clock issue, etc).

So, we plan to set a date further in the past:

setcookie('id', '', time() - 86400, "/", "", false, true);

We have read that IE can skip cookies with a date too far in the past.

Which value is recommanded?

What about users having an issue with their time setting on their computer (error setup or clock battery empty)? (We know that it is exceptionnal, but these people always end up complaining about our website and raising support tickets (which costs money).)

NOTE 1: As suggested by Theolodis, we could chain the cookies like this (modified):

setcookie('id', '', time() - 3600,  "/", "", false, true);
setcookie('id', '', time() - 90000, "/", "", false, true); #25 hours
setcookie('id', '', 1,              "/", "", false, true);

Is it a good idea which would cover all the cases?

NOTE 2: We are looking for a solution on the server side (if possible).

Community
  • 1
  • 1
Toto
  • 2,329
  • 22
  • 40
  • 1
    Couldn't you start by setting the 86400 cookies and directly afterwards the other one? In that case your only problem would be the IE users for which you would need another solution... – Theolodis Oct 01 '13 at 18:01
  • Don't use relative times for cookie deletion. You're depending on the client's clock on being "close" to yours. Use a fixed time WAY in the past, e.g. time 0 aka Jan 1/1970. A client clock that's THAT far out deserves to suffer from any time-related problems they're going to have. – Marc B Oct 01 '13 at 20:13

2 Answers2

1

I guess that @Theolodis' solution works fine for most cases, but you'll still have the timezone difference or computer's clock problems.

So I figured: if each user may have a different clock/timezone set in their computers, wouldn't it be best to use their time as the default parameter to destroy a cookie?

Sadly enough, there's no way a Server-side script can fetch the current user's time, but you may workaround it using AJAX. Yes, it will give you a little more work, but I think this is almost completely fail-proof.

You could get user's time and store it into $_SESSION['time'] as the example provided. Then all you would need to do is set the cookie to expire a second "before" it (I'm not counting the time delay caused by the AJAX request).

setcookie('id', '', strtotime($_SESSION['time']) - 1,  "/", "", false, true);

Also, here's some interesting reading about Internet Explorer Cookie Behaviour.

I'm not sure this is the best solution ever, but I hope it works for you - or at least light the path to find a better one.

Community
  • 1
  • 1
mathielo
  • 6,725
  • 7
  • 50
  • 63
  • 1
    Good suggestion! Alternative would be to send the http headers with `setcookie()` and to also set a cookie from javascript. My question was not clear enough, sorry (I updated it): we are looking for a server-only solution. But still +1. :) – Toto Oct 01 '13 at 23:26
0

Use DateTime it can handle timezones.

inf3rno
  • 24,976
  • 11
  • 115
  • 197