stackoom
  简体   繁体   中英

Is setting cookie expiration time: “time()-3600”, always correct?

 原文  2019-06-23 10:26:22       php/ cookies/ setcookie/ expired-cookies

Question

for delete cookie in PHP :

I read on the internet, and on my course slide too, that if we set expiration date to "time()-3600" we can't stay sure the cookie will be removed by the client,

because the client time and the server time can differ.

I agree with last statement, but why might the client not delete the cookie if the "time()" function return epoch value? it isn't absolute value?

I think if we set time()-3600, the response header set-cookie have expiration date as an absolute value, and the browser can interpret the value for find the data (as client local data) when the cookie is expired.

I'm doing it wrong?

2 answers

solution1
 2  2019-06-24 13:37:27

The client's clock may have significantly drifted from the actual time. In that case is doesn't matter whether time() is absolute or not, if the client machine has the wrong time, it may interpret the absolute time wrong, and think that the expiration time is still in the future.

solution2
 2 ACCPTED  2019-06-24 13:43:53

  • time() returns the number of seconds since midnight UTC on 1st January 1970, according to your server's clock .
  • setcookie will then format that into the string format required by HTTP , which is always expressed in GMT.
  • The client (browser) will then parse that date string, and compare it to the current time in GMT according to its own clock .

A correctly configured server and client should therefore agree that the value generated by time() - 3600 is in the past, so the cookie will be deleted.

However, there are a number of reasons this might go wrong:

  • The server's clock has drifted more than an hour ahead.
  • The server's time zone configuration is wrong, such that time() doesn't correctly adjust local time to UTC time.
  • The client's clock has drifted more than an hour behind.
  • The client's time zone configuration is wrong, such that the comparison is not correctly made against GMT.

It's also worth noting that in general you can't guarantee that a client will do anything you want. If you want to invalidate a session for security reasons, you must invalidate it on the server, and delete the cookie only as an additional convenience.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question when this cookie will expire if we specify the time 3600? Set cookie expiration date to exact time How to extend cookie expiration time for the users Unable to Set Cookie Expiration Time on LocalHost Expiration time in php cookie doesn't work setcookie(“user”, “”, time()-3600) not working Setting Cookie Expiration Date Using auth_cookie_expiration in wordpress to time out cookie but not for administrator PHP - Setting Cookie Expire + Time How to resolve 'Maximum execution time 30 seconds exceeded error', even after setting up max_execution_time=3600
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM