[Webkit-unassigned] [Bug 26193] New: Incorrect server time invalidates cookies

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jun 4 11:43:26 PDT 2009


           Summary: Incorrect server time invalidates cookies
           Product: WebKit
           Version: 525.x (Safari 3.2)
          Platform: Macintosh
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: alex at sirensclef.com

We recently ran into a problem where all Safari/WebKit users trying to log into
our application on a client's server were unable to do so. Firefox users had no

I tracked the problem down to a cookie issue. It turns out that the client's
server time was off (approx. 45 minutes earlier than it should be). This had
the effect of making cookies with an expiration date of less than 45 minutes in
the future expire immediately on Safari. Firefox somehow bypassed the influence
of the incorrect server time and set the expiration time for cookies as you'd
expect given a correct server time. One cookie required for our login lasts
less than 45 minutes, and given its inability to be set on Safari, this caused
Safari users to be blocked.

I have since requested that the client adjust their server time, which now
allows Safari users in. However, it seems to me that in an ideal world an
incorrect server time would not cause Safari cookies to go bad. I don't know
how Firefox manages to avoid the same issue, but adopting whatever intelligent
cookie parsing they use for cookie expiration time would be welcome.

This was verified with Safari release and Webkit builds 44282+, but for all I
know the problem could lie outside of Webkit. Note that sending Firefox's user
agent from Safari did not affect the situation, so I didn't suspect a problem
on the server side.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list