浏览器如何在服务器端和客户端正确计算具有不同时区的 cookie 的到期日期时间
How browser correctly calculate epiration datetime of cookie with different timezone on server and client side
服务器和客户端在不同的时区。相差6小时。服务器设置一个 cookie 1 小时,但客户端正确接收并保留一个小时,尽管客户端当前是 5 小时前。客户端如何在整点正确设置 cookie?浏览器可能会查看 header "Date"?如果是这样,如果服务器将在另一个代理服务器后面,它将设置自己的 "Date" header?
必须提供对 rfc 的引用或其他内容的证明。
有两种方法可以指定 cookie 的最长期限:
- 过期 属性:https://www.rfc-editor.org/rfc/rfc6265#section-5.2.1
- 最大年龄 属性:https://www.rfc-editor.org/rfc/rfc6265#section-5.2.2
Max-Age是相对于设置时间的..所以Texpiration = Tsetting + Max-Age
否则,Expires 属性会设置一个包含时区的日期/时间值:
https://www.rfc-editor.org/rfc/rfc6265#section-5.1.1
来自 RFC 本身的示例:
Expires=Wed, 09 Jun 2021 10:18:14 GMT
有许多标准(旧的和新的)支持 GMT (UTC) 作为日期/时间格式:
- https://www.rfc-editor.org/rfc/rfc7231#section-7.1.1.1
- https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html
从 RFC2616 我们得到了所谓的 HTTP 格式:
All HTTP date/time stamps MUST be represented in Greenwich Mean Time
(GMT), without exception. For the purposes of HTTP, GMT is exactly
equal to UTC (Coordinated Universal Time).
Expires 属性还应设置 time in HTTP format:
例如Set-Cookie: reg_fb_gate=deleted; Expires=Thu, 01-Jan-1970 00:00:01 GMT; Path=/; Domain=.example.com; HttpOnly
(来自 Wikipedia)
时区实际上无关紧要,因为无论如何 HTTP 日期都应该是 UTC(历史上是 GMT)(参见 RFC7231, sec. 7.1.1.1):
An HTTP-date value represents time as an instance of Coordinated Universal Time (UTC). The first two formats indicate UTC by the three-letter abbreviation for Greenwich Mean Time, "GMT", a predecessor of the UTC name; values in the asctime format are assumed to be in UTC.
那么,服务器的 Date header 应该是权威的,因为 Set-Cookieheader 本身不知道日期(参见 RFC6265, sec. 4.1.1). Your assumption that the next proxy will tack its own Date header is a bit off. This should only ever happen if the originating server itself has not set one (cf RFC7231, sec. 7.1.1.2):
An origin server MUST NOT send a Date header field if it does not have a clock capable of providing a reasonable approximation of the current instance in Coordinated Universal Time. An origin server MAY send a Date header field if the response is in the 1xx (Informational) or 5xx (Server Error) class of status codes. An origin server MUST send a Date header field in all other cases.
A recipient with a clock that receives a response message without a Date header field MUST record the time it was received and append a corresponding Date header field to the message's header section if it is cached or forwarded downstream.
服务器和客户端在不同的时区。相差6小时。服务器设置一个 cookie 1 小时,但客户端正确接收并保留一个小时,尽管客户端当前是 5 小时前。客户端如何在整点正确设置 cookie?浏览器可能会查看 header "Date"?如果是这样,如果服务器将在另一个代理服务器后面,它将设置自己的 "Date" header?
必须提供对 rfc 的引用或其他内容的证明。
有两种方法可以指定 cookie 的最长期限:
- 过期 属性:https://www.rfc-editor.org/rfc/rfc6265#section-5.2.1
- 最大年龄 属性:https://www.rfc-editor.org/rfc/rfc6265#section-5.2.2
Max-Age是相对于设置时间的..所以Texpiration = Tsetting + Max-Age
否则,Expires 属性会设置一个包含时区的日期/时间值: https://www.rfc-editor.org/rfc/rfc6265#section-5.1.1
来自 RFC 本身的示例:
Expires=Wed, 09 Jun 2021 10:18:14 GMT
有许多标准(旧的和新的)支持 GMT (UTC) 作为日期/时间格式:
- https://www.rfc-editor.org/rfc/rfc7231#section-7.1.1.1
- https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html
从 RFC2616 我们得到了所谓的 HTTP 格式:
All HTTP date/time stamps MUST be represented in Greenwich Mean Time (GMT), without exception. For the purposes of HTTP, GMT is exactly equal to UTC (Coordinated Universal Time).
Expires 属性还应设置 time in HTTP format:
例如Set-Cookie: reg_fb_gate=deleted; Expires=Thu, 01-Jan-1970 00:00:01 GMT; Path=/; Domain=.example.com; HttpOnly
(来自 Wikipedia)
时区实际上无关紧要,因为无论如何 HTTP 日期都应该是 UTC(历史上是 GMT)(参见 RFC7231, sec. 7.1.1.1):
An HTTP-date value represents time as an instance of Coordinated Universal Time (UTC). The first two formats indicate UTC by the three-letter abbreviation for Greenwich Mean Time, "GMT", a predecessor of the UTC name; values in the asctime format are assumed to be in UTC.
那么,服务器的 Date header 应该是权威的,因为 Set-Cookieheader 本身不知道日期(参见 RFC6265, sec. 4.1.1). Your assumption that the next proxy will tack its own Date header is a bit off. This should only ever happen if the originating server itself has not set one (cf RFC7231, sec. 7.1.1.2):
An origin server MUST NOT send a Date header field if it does not have a clock capable of providing a reasonable approximation of the current instance in Coordinated Universal Time. An origin server MAY send a Date header field if the response is in the 1xx (Informational) or 5xx (Server Error) class of status codes. An origin server MUST send a Date header field in all other cases.
A recipient with a clock that receives a response message without a Date header field MUST record the time it was received and append a corresponding Date header field to the message's header section if it is cached or forwarded downstream.