client and server have vastly different clock times
client logs in
server sends back a cookie with an expiration date which according to the client's clock is in the past
client web browser discards the cookie as expired and doesn't send it back to the server on the next request
server sees that there's no session cookie, interprets the client as not being logged in, redirects client to the login page
This is basically impossible to prevent, but it would be nice if we detected when it looked like it was happening, say by detecting anytime we set a cookie and then get back no cookie on the next request, or something.
EliAndrewC
commented
8 years ago
We sometimes run into the following situation:
This is basically impossible to prevent, but it would be nice if we detected when it looked like it was happening, say by detecting anytime we set a cookie and then get back no cookie on the next request, or something.