The server and client in different time zone. The difference in 6 hours. The server sets a cookie for 1 hour but the client correctly receives it and keeps an hour, although the client is currently 5 hours ago. How client correctly sets the cookie exactly on the hour? Could be the browser looks at the header "Date"? if so, what if the server will be behind another proxy server, which will set own "Date" header?
Must provide proof with a reference to rfc or something where.
There are 2 ways to specify a maximum age for the cookie:
Max-Age is relative to the time of setting.. So Texpiration = Tsetting + Max-Age
Otherwise, the Expires attribute sets a date / time value including a timezone: https://www.rfc-editor.org/rfc/rfc6265#section-5.1.1
Example from the RFC itself:
Expires=Wed, 09 Jun 2021 10:18:14 GMT
There are many standards (old and new) that favor GMT (UTC) as a date / time format:
From RFC2616 we got the so called HTTP format:
All HTTP date/time stamps MUST be represented in Greenwich Mean Time (GMT), without exception. For the purposes of HTTP, GMT is exactly equal to UTC (Coordinated Universal Time).
The Expires attribute should also set the time in HTTP format:
e.g. Set-Cookie: reg_fb_gate=deleted; Expires=Thu, 01-Jan-1970 00:00:01 GMT; Path=/; Domain=.example.com; HttpOnly
(from Wikipedia)