HTML5 study on expires expiration time of cookie

In the course of learning cookies, when the cookie is set to expire, the cookie will not be deleted automatically after the setting time, restart the browser or even restart the computer after re-opening the webpage or not automatically deleted, in Baidu and other site console settings as a result. I have carried out an in-depth analysis of this phenomenon.

First, in the case of check syntax without errors, directly on the console input

Document.cookie = ' aa=bb;expires= ' +new Date () + ';p ath=/'

Return:

"Aa=bb;expires=sun APR 2018 14:27:56 gmt+0800 (China Standard Time);p ath=/"

Indicates that AA this record will be deleted on April 29, 2018 14:27:56

Since new date () is the time to get the local runtime, it is common sense that the cookie has expired after 1 seconds of spawning. It will be deleted directly by the browser and will not appear. You can return AA=BB when I enter document.cookie again to get all the cookies. Indicates that this cookie has not been deleted. After trying multiple times, find instant I set the time to expire

Document.cookie = ' aa=bb;expires= Sun Apr 2018 10:27:56 gmt+0800 (China Standard Time);p ath=/'

is still not deleted. It was deleted by the browser when it was set to 2018 6:27:00!!!

Combined with Chrome does not support local file cookies read and write I propose a hypothesis. Cookie expiration time is not the local time should be the server time, how can the browser get the server time? Suddenly I thought of the HTTP protocol that I saw before. The HTTP protocol header for the response is with server time. I immediately sacrificed the bag artifact fiddler to grab the browser.

Found sure!!!

Sublimeserver server is not actually local time is 2018 06:57:36 this is not far from the time I tried to get.

I immediately entered in the browser

Document.cookie = ' aa=bb;expires= Sun, APR 2018 07:00:00 GMT;p ath=/'

View after 3 minutes. The cookie was successfully deleted by the browser!!! Continue to test on Baidu Web page

The browser network captures Baidu server time as

Sun, APR 2018 07:08:01 GMT

Baidu's server time is actually not Beijing!!!!!!!

Added 2 minutes after the control set cookie on Baidu Web page

Document.cookie = ' aa=bb;expires= Sun, APR 2018 08:00:00 gmt;path=/'

After 2 minutes, regain. AA successfully resolved by the browser to remove this issue!!!

It concludes that the expiration time of the cookie setting is based on server time, which synchronizes the browser's time with the server when the browser gets any HTTP response headers from the server. Using the new Date () The local time obtained is not accurate. It differs greatly from the server. local time can be modified by the customer. If a cookie is used in local time, it can be used to achieve a permanent non-login.

HTML5 learning about expires expiration time for cookies analysis