Forum Discussion
Hamish
Sep 21, 2010Cirrocumulus
Sorry. We're going to need a bit more detail. Sadly my telepathy isn't what it used to be. For the format of 'set-cookie' see RFC2109... http://www.ietf.org/rfc/rfc2109.txt
Now, max-age is DELTA seconds. Of course the cookie will be deleted when you set the clock forward on the PC after the cookie is received... The time just went forward... It's a delta from when the cookie was set (i.e. The browser works out the expiry time when it receives the cookie with the delta time in it. This is explicitly so that machines with invalid times actually work. Back when this was designed we didn't have NTP everywhere on all the clients (OK, some of us did... But we were pretty much the exception. Most PC's got their time set when they booted. If they were lucky)
So put your clock forward and it'll expire... The browser doesn't know you just jumped the time forward manually. It's not magic.
FWIW trying to do session timings in the client is NOT a good idea. You control sessions where you control the data. Much better to keep a table locally and use the cookie as an opaque key into the table. The value in the table for the key is the session info. If the key/value doesn't exist in the session table then then session doesn't exist. Simple. And you can then use session cookies. To destroy the session just provide a URL that when accessed wipes it out.
H