Can we set a cookie in php according to client's time?

Question

I have following requirements:

1. create a cookie for server domain
2. that cookie will expire in x seconds say in 200 or 500 seconds.

Problem is, that clients can lag as much as many minutes behind server. On server side I am setting cookie as

setcookie($cooName,$cooVal,time()+500,"/");

but now if client computer is 500 seconds behind server, above code will effect into a cookie which will expire in 1000 seconds not 500 seconds.

I was thinking to send client's time stamp to server and set cookie on that time. something like this:

setcookie($cooName,$cooVal,$_GET['clientTS']+500,"/");

But if client is 500 seconds behind, and if I set such a cookie which is backdated it does not get set. How to achieve a time sync between client and server in case of cookie expiry?

Answer 1

Unfortunately, Expires is an absolute date and depends on the user agent’s local date. As you have concluded correctly, this could lead to an inaccurate cookie expiry.

This is also the reason why IETF’s first standardization of Netscape’s original proposal, replaced the absolute expiration date by a relative expiration date, the Max-Age attribute that specified the time in delta seconds from the point in time the cookie has been issued. RFC 2965, that obsoleted RFC 2109, did the same. Just as RFC 6265, that is currently the most recent specification for cookies.

Cookies as per RFC 6265 do also allow to specify the expiry date by both a relative date using Max-Age and a absolute date using Expires, the latter primarily for backwards compatibility:

If a cookie has both the Max-Age and the Expires attribute, the Max-Age attribute has precedence and controls the expiration date of the cookie.

So you could write your own function that mimics this behavior:

$maxage = 12345;
$expires = date(DATE_COOKIE, time()+$maxage);
header("Set-Cookie: $name=$value, Expires=$expires, Max-Age=$maxage, …");

---

Here’s an example function:

function set_cookie($name, $value=null, $maxage=null, $path=null, $domain=null, $secure=false, $httponly=false) {
    $cookie = rawurlencode($name) . '=' . rawurlencode($value);
    $attributes = array();
    if (!is_null($maxage)) {
        $maxage = intval($maxage);
        $attributes[] = 'Expires='.date(DATE_COOKIE, $maxage > 0 ? time()+$maxage : 0);
        $attributes[] = 'Max-Age='.$maxage;
    }
    if (!is_null($path)) {
        $attributes[] = 'Path='.rawurlencode($path);
    }
    if (!is_null($domain)) {
        $attributes[] = 'Domain='.rawurlencode($domain);
    }
    if ($secure) {
        $attributes[] = 'Secure';
    }
    if ($httponly) {
        $attributes[] = 'HttpOnly';
    }
    header('Set-Cookie: '.implode('; ', array_merge(array($cookie), $attributes)), false);
}