I just figured out a rather puzzling problem I had with a cookie
apparently being ignored. I had it set to timeout in 3 minutes and it
worked fine tested on localhost, but sometimes failed when different
machines connected. The problem was that some of my test machines had
system clocks that weren't quite correct, and the cookie was effectively
timing out as soon as the browser received it. There's a lesson learned. :o}
So I switched from 3 minutes to an hour, then started pondering how much
a skewed system clock I should worry about. This is a security related
issue for my site so I didn't want to use a session cookie. That then
got me thinking about timezones...
Suppose my server is in London - UTC, GMT+0. I set my cookie to expire
in 1 hour. Someone in New York (GMT-5) connects - do they get to keep
the cookie for 6 hours? What about someone in Australia (GMT+10)? Do
they loose their cookie as expired as soon as they see it?
I read up on the issue and decided to use session cookies with a
timestamp in the data so I know exactly what is going on. But I'm still
interested in the answer to the above question. Unless there's something
going on I don't understand, it seems that cookie timeouts are not much
use for periods less than 24 hours or so, simply because of timezone issues.
apparently being ignored. I had it set to timeout in 3 minutes and it
worked fine tested on localhost, but sometimes failed when different
machines connected. The problem was that some of my test machines had
system clocks that weren't quite correct, and the cookie was effectively
timing out as soon as the browser received it. There's a lesson learned. :o}
So I switched from 3 minutes to an hour, then started pondering how much
a skewed system clock I should worry about. This is a security related
issue for my site so I didn't want to use a session cookie. That then
got me thinking about timezones...
Suppose my server is in London - UTC, GMT+0. I set my cookie to expire
in 1 hour. Someone in New York (GMT-5) connects - do they get to keep
the cookie for 6 hours? What about someone in Australia (GMT+10)? Do
they loose their cookie as expired as soon as they see it?
I read up on the issue and decided to use session cookies with a
timestamp in the data so I know exactly what is going on. But I'm still
interested in the answer to the above question. Unless there's something
going on I don't understand, it seems that cookie timeouts are not much
use for periods less than 24 hours or so, simply because of timezone issues.
Comment