Login time-out is broken

There is a bug with the way time-out is implemented. Time-out time is set as a particular clock time on the server but evaluated on the client machine. As a result if the client machine's clock is set forward in time by a larger amount than the login time-out they cannot log in. Detailed example below. (Assuming a 3 hour timeout, but issue is valid for any timeout length.)

1. User attempts to log in (11:59 pm GMT according to user's clock)
2. Server validates login (11:59 am GMT according to server's clock)
3. Server sends user cookie for valid login that expires at 2:59 pm GMT
4. User's computer notes that 2:59 pm is before 11:59 pm. Thus the cookie is already expired. Therefore cookie gets immediatly discarded
5. User's computer attempts to visit logged in page without cookie
6. Server says hey you are not logged in and sends back error message
7. User curses your broken website and never comes back*

* Or if you are lucky tells you that it is impossible to login. Which you cannot replicate.

A few extra notes about this issue.

• There is a version of Firefox that does not exhibt this problem. It attempts to auto correct the problem. However, that is no longer the case so I'm guessing it is "fixed" in current versions of Firefox.
• I have validated this issue in IE 9, Opera 10.61, Firefox 3.6.13, Safari 5.0.2 (for Windows), Chrome 12.0.712.0 and Lynx 2.8.6rel.1 (for Windows)
• User timezone does not matter.
• The server cookie is explictly sent in GMT
• The user's clock must be incorrect within their timezone as a result.
• A surprising number of user's clocks are wrong
• Users do not like being told that their clock is wrong
• User's don't like not being able to log in when it is required of them
• I have strayed from useful bug related information and will stop now