How the GDPR Reminded Me To Always Use UTC When Working With Dates

Internet tech stuff ahead warning.

Due to the GDPR, I recently spent way too much time on creating a Cookie Wall of Doom. Unless you explicitly opt-in to some level of tracking, you cannot use the site. To prevent the customer from having Cookie Wall of Doom shoved in their face on every damned page, we set a cookie, which stores your preference for a year.

At first, I set the expiry with max-age=31536000, as I could not recall that that there would be issues, beyond no support in IE<9. (But if you insist on still using those, you are bound to have bigger challenges online than a cookie wall.) Alas, reports came in that in Internet Explorer 11 the Cookie Wall of Doom came back at the start of every new browser session.

So, back to good old expires:

var expiryDate = new Date();
expiryDate.setFullYear(expiryDate.getFullYear() + 1);
document.cookie = 'cookie-consent-pref=foo;; expires=' + expiryDate + '; path=/;';

Update the code, patch it all around, deploy all the things, and on to do something useful.

Alas, sad trumpet.

As it turns out, all browsers play ball with this implementation, except the two from Microsoft. Those appear to really insist that when the spec says that you should use a date-in-GMTString-format, you actually use a date in GTMString format. (And never you mind that toGMTString() is deprecated and you should toUTCString() instead.)

Using the code above, expiryDate gets set as “Wed Jun 06 2018 12:10:24 GMT+0200 (Central Europe Daylight Time)”, which works just fine in about every browser but Internet Explorer and Edge, who will claim that the cookie is set to expire at the end of the session. Which is ungood, and in this case, shows you Cookie Walls of Doom when it shouldn’t.

So another round of updating the code (document.cookie = 'cookie-consent-pref=foo;; expires=' + expiryDate.toUTCString() + '; path=/;'), patching it all around, deploying all the things, and back to doing something useful.

Remember, kids, always use UTC. It’ll save you a lot of frustration.