Short expiry cookies depend on users having their system clocks set correctly. Don't depend on the users having their clocks set right. Embed the timeout based on your server's clock in the cookie. ]]> Then when you receive the cookie, decode it and determine if it is still valid. ]]>