1

for delete cookie in PHP:

I read on the internet, and on my course slide too, that if we set expiration date to "time()-3600" we can't stay sure the cookie will be removed by the client,

because the client time and the server time can differ.

I agree with last statement, but why might the client not delete the cookie if the "time()" function return epoch value? it isn't absolute value?

I think if we set time()-3600, the response header set-cookie have expiration date as an absolute value, and the browser can interpret the value for find the data (as client local data) when the cookie is expired.

I'm doing it wrong?

artas
  • 148
  • 1
  • 3
  • 12

2 Answers2

2

The client's clock may have significantly drifted from the actual time. In that case is doesn't matter whether time() is absolute or not, if the client machine has the wrong time, it may interpret the absolute time wrong, and think that the expiration time is still in the future.

deceze
  • 510,633
  • 85
  • 743
  • 889
2
  • time() returns the number of seconds since midnight UTC on 1st January 1970, according to your server's clock.
  • setcookie will then format that into the string format required by HTTP, which is always expressed in GMT.
  • The client (browser) will then parse that date string, and compare it to the current time in GMT according to its own clock.

A correctly configured server and client should therefore agree that the value generated by time() - 3600 is in the past, so the cookie will be deleted.

However, there are a number of reasons this might go wrong:

  • The server's clock has drifted more than an hour ahead.
  • The server's time zone configuration is wrong, such that time() doesn't correctly adjust local time to UTC time.
  • The client's clock has drifted more than an hour behind.
  • The client's time zone configuration is wrong, such that the comparison is not correctly made against GMT.

It's also worth noting that in general you can't guarantee that a client will do anything you want. If you want to invalidate a session for security reasons, you must invalidate it on the server, and delete the cookie only as an additional convenience.

Community
  • 1
  • 1
IMSoP
  • 89,526
  • 13
  • 117
  • 169
  • i wasn't thinking about clock drifting or time zone wrong configured, and also the definition of UTC and GMT confused me. So if my server have an uncorrect time zone configuration, for example UTC+1 instead of UTC+2, when the **time()** calculate epoch seconds it leave 1 hour from the UTC actual value and not 2, so the time() function in this case return an epoch value 1 hour in the future? – artas Jun 24 '19 at 14:46