Geek Answers Handbook

Set-Cookie: Expire property, clock skew and Internet Explorer issue

There is a Max-Age header that allows you to specify the expiration time of the cookie. Unfortunately, Internet Explorer 6, 7, 8 and possibly later do not support Max-Age and require the Expires header with an absolute date in GMT.

Often there may be incorrect GMT and TZ time settings for a particular client. Consider a user who has not defined his time zone and manually adjusted the clock.

Moreover, sometimes there can be a significant skew of hours in a few minutes that the user does not know about them.

In this case, GMT time can be shifted by several hours. Effectively, this would prevent the server from setting any cookie that requires a short expiration time. Consider that a cookie with a maximum age of 10 minutes will never be set if TZ is incorrect.

Original ideas on how to solve the problem (which does not work or is problematic):

  • Of course, it’s best to use Max-Age, or even specify both, since all browsers will ignore the “Expire” part, but it doesn’t work in IE
  • Another way I thought was to set Date: the title, hopefully IE will know to calculate the difference, to work with skewed clocks ... But that doesn't help IE.
  • Get the time from the client on demand (using JavaScript) and then calculate the difference in hours and then adjust the Expire header as needed. However, this requires complex data manipulation, including a way to send time to the server.

Questions:

  • What is the best and most common practice for using Expire time for cookies in IE?
  • How do you do this in your applications
+8
internet-explorer cookies
source share
4 answers
  • Install Max-Age like everyone else, but Microsoft understands it.
  • Add Javascript, which only works in IE, to convert Max-Age to UTC according to the browser’s clock and set the expiration time in the cookie. Please note that JavaScript cannot read the Max-Age set in the cookie, so you will have to provide this information (along with any other parameters) JavaScript in a different way.

From QuirksMode

function readCookie(name) { var nameEQ = name + "="; var ca = document.cookie.split(';'); for(var i=0;i < ca.length;i++) { var c = ca[i]; while (c.charAt(0)==' ') c = c.substring(1,c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length); } return null; }

Then after receiving the cookies name and maxAge and otherOptions (e.g. path, domain) somewhere:

 var date = new Date(); date.setTime(date.getTime() + (maxAge * 1000)); document.cookie = name + "=" + readCookie(name) + '; expires=' + date.toUTCString() + otherOptions
+8
source share

What I did was move the time to the server side. You can never be sure of time on the client side, but you know that your server never lies.

  • You save the time of the first request on the server (save the server time when sending data to the client), and you set the cookie with the maximum expiration, that is: 01/01/2900.
  • You track this time and you can say 10 minutes of server time, you decide the time to kill it.
  • Then you set the cookie date to min. those. 01/01/1900. Deleting cookies:
    http://msdn.microsoft.com/en-us/library/ms178195(v=vs.100).aspx
+5
source share

If I had such a requirement, I would use cookies in my application. Include the server expiration time in the contents of the cookie, protect the cookie with encryption or a hash, and reject the cookie if the timestamp in the cookie has passed.

This largely depends on the duration of the cookie for automatic login.

+2
source share

Just FYI, IE 11 supports Max-Age for cookies starting with version 11.0.15063.0.

I can not find the documentation from Microsoft to report this, but during development we found that our local version of IE was working, but there were no clients. We narrowed it down to the difference in version of IE and the Max-Age property in cookies.

0
source share

More articles:


All Articles