Slightly OT: How to Code for Incorrect Clocks and Rapidly Expiring Cookies

jerrygarciuh has asked for the wisdom of the Perl Monks concerning the following question:

I am asking this here because I need to adjust my script to deal with this situation. I have a cookie check line like so :

my $bhangs = $q->cookie(-name=>"current_bhangs") || set_cookie($q); 

sub set_cookie {
    my $q = shift;
    $val="schicken fu";
    my $cookie = $q->cookie ( -name=>"bhangs",
                         -value=>"$val",
                         -expires=>"+2m");  

print $q->redirect(-url=>url,
                    -cookie=>$cookie);
    exit;
}
[download]

problem is that the the cookie should be set to expire 2 minutes after it is set and I have found that if the time on the server and the time on the PC's internal clock are a mismatch ( as they will almost always be ) the browser chases its tail all day setting the cookie and checking to find it is already expired ad infinitum. Since I can't track the process via the cookie and tell the script it has a time mismatch since it successfully set the cookie less than 2 server clock seconds ago...I am at a loss. Should I abandon cookies and have the script sleep for 2 minutes instead of doing a cookie check?
Any advice greatly appreciated.
TIA
jg
_____________________________________________________
It's not my tree.

Comment on Slightly OT: How to Code for Incorrect Clocks and Rapidly Expiring Cookies Download Code

Replies are listed 'Best First'.
Re: Slightly OT: How to Code for Incorrect Clocks and Rapidly Expiring Cookies by perrin (Chancellor) on Feb 28, 2002 at 19:50 UTC
I'm not quite sure what you're using this for, but if it has anything to do with security, just remember that you can't trust the client. There is no reason anyone has to obey your request to remove this cookie after 2 minutes. If you really need to do this sort of thing safely, you should set a cookie with the time that the clock started ticking and a message digest to make sure it isn't tampered with. Then you can look at that on the server side and see if it has been 2 minutes yet or not.	[reply]
Re: Slightly OT: How to Code for Incorrect Clocks and Rapidly Expiring Cookies by beebware (Pilgrim) on Mar 02, 2002 at 17:47 UTC
What I would do is set a session cookie (therefore totally ignoring the client end timestamp) and store the cookieid in a database on the server. When the cookie is given back to the server, check the database and the time it was 'given' - more than 2 minutes and you run your 'out of time' section of code. This also helps you avoid trusting the data stored by the client (a cookieid of around 128 randomly generated characters which timeout after 2 minutes is going to be extremely low on the 'possiblity to hack' scale: bung in browser user-agent logging and IP logging into the database, over SSL, and you've got a nearly unhackable system as regards user authentication). The other other alternative would be to use Javascript to create the cookie on the client end. But then think about 'javascript-cripple' browsers and how easy it would be to change the data...	[reply]
Re: Slightly OT: How to Code for Incorrect Clocks and Rapidly Expiring Cookies by jerrygarciuh (Curate) on Feb 28, 2002 at 19:43 UTC
Blushing I realize I can look out for the time mismatch by setting a param and having the script redirect to self_url instead of url. Mea Culpa, jg _____________________________________________________ It's not my tree.	[reply] [d/l]