Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
858 views
in Technique[技术] by (71.8m points)

http - Set-Cookie: Expire property, clock skew and Internet Explorer issue

There is a header Max-Age that allows to specify the expiration time of a cookie. Unfortunately Internet Explorer 6, 7, 8 and probably later do not support Max-Age and require Expires header with an absolute date in GMT.

It is not uncommon that GMT time and TZ settings on specific client may be incorrect. Consider user that had not defined his time zone correctly and adjusts the clock manually.

More than that, sometimes there may be a significant clock skew of many minutes that the user is unaware of them.

In such a case its GMT time may be shifted up to several hours. Effectively it would prevent from a server to set any cookie that requires short expiration time. Consider a cookie that has maximal age of 10 minutes would never be set if TZ is incorrect.

Original ideas on how to solve the problem (that does not work or problematic):

  1. Of course the best is to use Max-Age or even specify both as all browsers would ignore "Expire" part - but it does not work in IE
  2. Another way I thought of is setting Date: header hopefully the IE would know to calculate the difference to work around clock skew... But it does not help IE.
  3. Get the time from the client upon the request (using JavaScript) and than calculate the clock difference and then adjust Expire header as needed. However it requires complex data manipulation including some way to submitting the time to the server.

Questions:

  1. What is the best and the common practice to handle Expire time for cookies in IE?
  2. How do you do it in your applications
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)
  • Set Max-Age as everyone but Microsoft understands it.
  • Add Javascript that runs only on IE to convert Max-Age to UTC according to the browser's clock and set that expiration time on the cookie. Note that JavaScript cannot read the Max-Age set in the cookie, so you will have to provide that information (along with any other options) to the JavaScript some other way.

From QuirksMode

function readCookie(name) {
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++) {
    var c = ca[i];
    while (c.charAt(0)==' ') c = c.substring(1,c.length);
    if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}

Then after you get the cookie name and maxAge and otherOptions (e.g. path, domain) from somewhere:

var date = new Date();
date.setTime(date.getTime() + (maxAge * 1000));
document.cookie = name + "=" + readCookie(name) + 
    '; expires=' + date.toUTCString() + otherOptions

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...