What I would do is set a session cookie (therefore totally ignoring the client end timestamp) and store the cookieid in a database on the server. When the cookie is given back to the server, check the database and the time it was 'given' - more than 2 minutes and you run your 'out of time' section of code. This also helps you avoid trusting the data stored by the client (a cookieid of around 128 randomly generated characters which timeout after 2 minutes is going to be extremely low on the 'possiblity to hack' scale: bung in browser user-agent logging and IP logging into the database, over SSL, and you've got a nearly unhackable system as regards user authentication).
The other other alternative would be to use Javascript to create the cookie on the client end. But then think about 'javascript-cripple' browsers and how easy it would be to change the data...