Unfortunately, Expires is an absolute date and depends on the user agent’s local date. As you have concluded correctly, this could lead to an inaccurate cookie expiry.
This is also the reason why IETF’s first standardization of Netscape’s original proposal, replaced the absolute expiration date by a relative expiration date, the Max-Age attribute that specified the time in delta seconds from the point in time the cookie has been issued. RFC 2965, that obsoleted RFC 2109, did the same. Just as RFC 6265, that is currently the most recent specification for cookies.
Cookies as per RFC 6265 do also allow to specify the expiry date by both a relative date using Max-Age and a absolute date using Expires, the latter primarily for backwards compatibility:
If a cookie has both the Max-Age and the Expires attribute, the Max-Age attribute has precedence and controls the expiration date of the cookie.
So you could write your own function that mimics this behavior:
$maxage = 12345;
$expires = date(DATE_COOKIE, time()+$maxage);
header("Set-Cookie: $name=$value, Expires=$expires, Max-Age=$maxage, …");
Here’s an example function:
function set_cookie($name, $value=null, $maxage=null, $path=null, $domain=null, $secure=false, $httponly=false) {
$cookie = rawurlencode($name) . '=' . rawurlencode($value);
$attributes = array();
if (!is_null($maxage)) {
$maxage = intval($maxage);
$attributes[] = 'Expires='.date(DATE_COOKIE, $maxage > 0 ? time()+$maxage : 0);
$attributes[] = 'Max-Age='.$maxage;
}
if (!is_null($path)) {
$attributes[] = 'Path='.rawurlencode($path);
}
if (!is_null($domain)) {
$attributes[] = 'Domain='.rawurlencode($domain);
}
if ($secure) {
$attributes[] = 'Secure';
}
if ($httponly) {
$attributes[] = 'HttpOnly';
}
header('Set-Cookie: '.implode('; ', array_merge(array($cookie), $attributes)), false);
}