[Editor's Note:
Rasmus' Solution from the PHP-General list:
Just use a session cookie (by not providing an expiry time) and add the
server's expiry timestamp to the value of the cookie. Then when you get
that cookie sent to you, check it against your server's time and make the
decision on whether to accept the cookie or not based on that.
That way you are immune from people not having their system clocks set
right.
-Rasmus
[email protected]]
A couple things I noticed when using this. I think it only works if you set the session_set_cookie_params() function BEFORE the session_start() function.
Also, when you set the "lifetime" on the cookie, it takes the seconds offset from the SERVER. it sends the cookie encoded to timeout at the SERVER time. So if your server is +2 minutes ahead of the client, and you set the cookie to timeout after 30 seconds, the client actually has 2 minutes and 30 seconds before the cookie times out. I don't know if there's any way that this can be patched in future versions, and the only alternative I think is setting cookies in javascript, which is hardly the point when using all these specific session functions.