New issue
Advanced search Search tips

Issue 606132 link

Starred by 2 users
Status: WontFix
Owner:
eroman@chromium.org
Closed: May 2016
Cc:
rsleevi@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug



Sign in to add a comment

Cookie with expiry time not saved when system date changes to past date

Reported by riyazpan...@gmail.com, Apr 23 2016 
<b>Chrome Version       : <Copy from: 'about:version'></b>
URLs (if applicable) :
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
    Firefox: PASS (45.0.2)
         IE: PASS (Microsoft Edge)

What steps will reproduce the problem?
(1) Change system date to past date.
(2) Set cookie with 30 minutes expiry time.
(3) Observe the cookie in resource section of chromium debugger tool.

What is the expected result?
-> cookie should be saved

What happens instead?
-> cookie not saved


Please provide any additional information below. Attach a screenshot if
possible.

Comment 1 by eroman@chromium.org, Apr 25 2016

Components: Internals>Network>Cookies
Labels: Needs-Feedback
This is probably working as intended -- Chromium infers clock skew between the server and the client when calculating cookie expiration (https://chromiumcodereview.appspot.com/11339032).

So if you are setting a cookie that is expired with respect to server time, it won't matter that you have adjusted your system clock backwards, it will still be considered expired.

Do you have a concrete example of the values being set, and the server time being returned in the HTTP response?

Comment 2 by riyazpan...@gmail.com, Apr 26 2016 

But other browsers support this handling.
Project Member

Comment 3 by sheriffbot@chromium.org, Apr 26 2016

Labels: -Needs-Feedback Needs-Review
Owner: eroman@chromium.org
Thank you for providing more feedback. Adding requester "eroman@chromium.org" for another review and adding "Needs-Review" label for tracking.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by eroman@chromium.org, Apr 26 2016 

Other browsers supporting it doesn't necessarily make that the correct behavior. Please provide an example and I can review. Adjusting for time skew fixes a different class of issues. And if your clock is too far off even HTTPS will stop working.

Comment 5 by pucchakayala@chromium.org, Apr 26 2016

Labels: -Needs-Review Needs-Feedback
Adding the label Needs-feedback as per # 4

Comment 6 by riyazpan...@gmail.com, Apr 28 2016 

Too far means how much time. 

I have checked one site where changes the system date to 1st november 2015 then page is loaded but google-analytics library not loaded.

On this website there are two https calls which is working fine on changing the date to 1/11/2015 but https://www.google-analytics.com/analytics.js library not loaded.

Please comment on this.
Project Member

Comment 7 by sheriffbot@chromium.org, Apr 28 2016

Labels: -Needs-Feedback Needs-Review
Thank you for providing more feedback. Adding "Needs-Review" label for tracking.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by eroman@chromium.org, May 2 2016

Labels: -Needs-Review
Status: WontFix (was: Unconfirmed)
RE comment #6 -- analytics.js is served with a certificate that is not valid before April 27, 2016, so it will not work if your date is Nov 2015.

Comment 9 by riyazpan...@gmail.com, May 3 2016 

But my https call are working fine even if system date is set to past date.

As per your old comment, these should be stop working.

Comment 10 by eroman@chromium.org, May 3 2016

Cc: rsleevi@chromium.org
@riyazpanarwala: I don't follow. Are you saying that you *can* load https://www.google-analytics.com/analytics.js when your clock is set to 2015? You shouldn't be able to, as we expect that to fail with ERR_CERT_DATE_INVALID.

Either way the original bug is still a won't fix as noticing clock skew between client and server when setting cookies is intentional. Do you have a use-case or example for why you think that should work?

Sign in to add a comment