http - Set-Cookie: Expire property, clock skew and Internet Explorer issue

Question

There is a header Max-Age that allows to specify the expiration time of a cookie. Unfortunately Internet Explorer 6, 7, 8 and probably later do not support Max-Age and require Expires header with an absolute date in GMT.

It is not uncommon that GMT time and TZ settings on specific client may be incorrect. Consider user that had not defined his time zone correctly and adjusts the clock manually.

More than that, sometimes there may be a significant clock skew of many minutes that the user is unaware of them.

In such a case its GMT time may be shifted up to several hours. Effectively it would prevent from a server to set any cookie that requires short expiration time. Consider a cookie that has maximal age of 10 minutes would never be set if TZ is incorrect.

Original ideas on how to solve the problem (that does not work or problematic):

1. Of course the best is to use Max-Age or even specify both as all browsers would ignore "Expire" part - but it does not work in IE
2. Another way I thought of is setting Date: header hopefully the IE would know to calculate the difference to work around clock skew... But it does not help IE.
3. Get the time from the client upon the request (using JavaScript) and than calculate the clock difference and then adjust Expire header as needed. However it requires complex data manipulation including some way to submitting the time to the server.

Questions:

1. What is the best and the common practice to handle Expire time for cookies in IE?
2. How do you do it in your applications

Answer 1

• Set Max-Age as everyone but Microsoft understands it.
• Add Javascript that runs only on IE to convert Max-Age to UTC according to the browser's clock and set that expiration time on the cookie. Note that JavaScript cannot read the Max-Age set in the cookie, so you will have to provide that information (along with any other options) to the JavaScript some other way.

From QuirksMode

function readCookie(name) {
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++) {
    var c = ca[i];
    while (c.charAt(0)==' ') c = c.substring(1,c.length);
    if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}

Then after you get the cookie name and maxAge and otherOptions (e.g. path, domain) from somewhere:

var date = new Date();
date.setTime(date.getTime() + (maxAge * 1000));
document.cookie = name + "=" + readCookie(name) + 
    '; expires=' + date.toUTCString() + otherOptions