Is setting cookie expiration time: "time()-3600", always correct?

for delete cookie in PHP:

I read on the internet, and on my course slide too, that if we set expiration date to "time()-3600" we can't stay sure the cookie will be removed by the client,

because the client time and the server time can differ.

I agree with last statement, but why might the client not delete the cookie if the "time()" function return epoch value? it isn't absolute value?

I think if we set time()-3600, the response header set-cookie have expiration date as an absolute value, and the browser can interpret the value for find the data (as client local data) when the cookie is expired.

I'm doing it wrong?

• time() returns the number of seconds since midnight UTC on 1st January 1970, according to your server's clock.
• setcookie will then format that into the string format required by HTTP, which is always expressed in GMT.
• The client (browser) will then parse that date string, and compare it to the current time in GMT according to its own clock.

A correctly configured server and client should therefore agree that the value generated by time() - 3600 is in the past, so the cookie will be deleted.

However, there are a number of reasons this might go wrong:

• The server's clock has drifted more than an hour ahead.
• The server's time zone configuration is wrong, such that time() doesn't correctly adjust local time to UTC time.
• The client's clock has drifted more than an hour behind.
• The client's time zone configuration is wrong, such that the comparison is not correctly made against GMT.

It's also worth noting that in general you can't guarantee that a client will do anything you want. If you want to invalidate a session for security reasons, you must invalidate it on the server, and delete the cookie only as an additional convenience.