Christian Theune <ct@gocept.com> wrote:
On Sun, Jul 08, 2001 at 11:50:42PM +0200, Dieter Maurer wrote:
With cookie based authentication, you simply kill the cookie. [...]
Really? Just think, what happens if the user manually copies it's cookie and stores it back on the browser?
You have to tell the server to forget, that this cookie is authorized ... ?
(I'm not sure on that ... )
A beter way would be to track the cookie's value on the server; then you can kill the cookie both on the client and prevent its re-usage from the server side. An example would be to store the cookies, key, the value of the cookie along with a timeout on the serverside. So long as you have a valid request, you update the timeoutvalue on the serverside. When the user logs out you set the timeout to "now". the next time the user tries to do something the server detects that the cookie is invalid (based on the timeout) and takes appropiate action (i.e. redirecting to login screen). Hope this helps. /dario