Eric Sammer wrote: > the expire *i'm* specifying is just a relative '-1D' to cause the > browser to drop it. if there's a better way, i'm certainly open to > suggestions.
The HTTP headers do not support relative dates as far as I know. Thus when you specify a relative date the code must claculate the expiry date for you and send it back to the browser. If a user has their date and time set such that the cookie is still valid they will continue to return it. You might want to consider invalidating the cookie by setting the content to an empty value as well as setting the expiry date. This would then mean that even if they still think it's valid they have no value, only an empty string (which, AFAIK, most browsers will treat as an invalid cookie). You might be more comfortable making the expiry more than a day old. I logged onto a machine the other day and started getting browser messages that my server's security certificate had expired or was not yet valid. It turned out that the RTC on the machine was set to 1980. Maybe the user just wanted to relive the 80's ;) Rob Lambden
