Re: deleting cookies and local browser time versus server time

On Jan 2, 4:34 pm, Good Man <he...@xxxxxxxxxx> wrote:

How can I test cookie expiration with that? The browser unsets cookies
based on what *it* thinks the time is, not what the server thinks the
time is.

In other words, if the server is in Pacific time, and I'm in Eastern
time, setting the cookie to expire on date() ( meaning, 'right now' )
looks to be 3 or 4 hours in the past to my browser. So, if the server
give a cookie to expire at 4PM today, which is the time in Seattle,
that expiration date is already in the past for me, since it's already
7PM.

I guess I'm having a bit of difficulty trying to understand. Cookies
are local/stored on the user browser, correct? So with you in Los
Angeles and I in New York, we'll never see each others' cookies.

Perhaps I'm not understanding it properly myself. Let me try to
explain it.

The website gives a cookie to the browser. That cookie stores
information that applies only to that website. It's like asking the
browser to store information for the website, and return that
information when the browser returns to that website.

One of the properties of the cookie is that it has an expiry time. It
won't last forever; the time that it lasts is set by the website.
Since the expiry time may pass when the user is not browsing the site,
it's up to the browser to delete a cookie when it has expired. This
cookie deletion happens independently of the wesbite; the browser does
it on its own.

If we are two browsers looking at the same site, we won't see each
others cookies. You are correct there. However, if we are browsing the
same site, we will each have our own cookies that we each get from the
website.

However, when a user returns to a website, the website can see the
cookie(s) that it previously gave a browser, so long as they haven't
expired. If they have expired, the browser won't send them back to the
website. And therein lies the rub: if the browser and the server
disagree about what time it is, the server may be expecting the cookie
when the browser thinks it's too old.

So, if the server generates a cookie that is set to expire at
something like "date() + 5 minutes", a timezone change could trip that
up. For the server in California, the time may be 8 AM, so it gives
the cookie to the browser, with an expiration time of 8:05 AM. For the
browser in New York, it's already 11 AM ( if it's 8 AM in CA ) , so a
cookie set to expire at 8:05AM, the cookie is DOA.

It's like I'm in Portland and you're in New York. I want some
information from you, to get to the bank before 5 PM. For you, 5 PM
comes and goes, no information. Then, at 7PM New York time, you get
the information. You say, "Oh, it's past 5PM, it's too late."
Meanwhile in Portland, the local time is 4PM, because of the time zone
difference. You could call me and give me the information, but because
of the time zone difference, you and I disagree about what time it
is.


I interpreted your problem as essentially keeping a file 'open' or
'checked out' (insert your verb here) for 5 minutes before
allowing/disallowing changes or something. So, if you open a file at
10amPST, and I want to open it a minute later (1pm EST), I should see
that only 1 minute has passed (as opposed to 3 hours and 1 minute).

If that's the case, what I am suggesting is that when person A opens the
document, you record the SERVER time in a database or text file. Then
when person B hits the same document, PHP compares the time elapsed on
the server between when Person A and Person B accessed the document, ie:
whether or not its been less than / greater than 5 minutes.

Actually that's a great idea. Instead of storing data in the cookie, I
can just store a unique token in it to identify returning users. I can
use that token to look up the actual data I want to store from the
database.


Sorry to be of so little help!

Well, it is helpful to discuss it with someone. If I can't explain my
situation properly, that probably means I don't understand it myself!
.

Relevant Pages

  • Re: deleting cookies and local browser time versus server time
    ... Our server ... is in a different time zone than the browser I'm developing on. ... How can I test cookie expiration with that? ...
    (comp.lang.php)
  • Re: Bypass Authentication
    ... "Joe Kaplan" wrote: ... authentication cookie back to the Server at Location 3 from Location 1. ... the Third Party application to use this program to launch the browser. ... Assuming that the server at location 3 requires a cookie to be sent to it ...
    (microsoft.public.dotnet.security)
  • Re: Bypass Authentication
    ... Joe Kaplan-MS MVP Directory Services Programming ... authentication cookie back to the Server at Location 3 from Location 1. ... the Third Party application to use this program to launch the browser. ... Assuming that the server at location 3 requires a cookie to be sent to it ...
    (microsoft.public.dotnet.security)
  • Re: password questions
    ... What's usually done in the PHP world is that the first time a browser ... goes to a site, it has no cookie, and says so when asked for one. ... server then asks for username and password, ... A cracker makes a request, trying to masquerade as the authenticated ...
    (comp.lang.java.programmer)
  • Re: error code 0x80072EFD
    ... [CallerId = AutomaticUpdates] ... cookie, reporting URL = ... the server with hr = 80072efd. ...
    (microsoft.public.windowsupdate)