[ale] OT: How to serve a clean web logout?

cfowler cfowler at outpostsentinel.com
Tue Jan 30 11:17:11 EST 2007


On Tue, 2007-01-30 at 10:40 -0500, James Sumners wrote:
> Usually you mark them as logged out in the session or just plain
> delete the session. Your login script should be checking to see if
> their session time has expired (if it does), if they are currently
> logged in, and if they even have a session at all. 

correct.  One thing I do is give them an invalid cookie.  When your
login page sees and invalid cookie it shows them the login page.
Normally when my login page detects a valid cookie it does a 302
redirect to the main page.  So the only way to get to the login page is
to logout and get an invalid cookie.  All other pages validate the
cookie and if it is wrong does a 302 redirect to the login page.





More information about the Ale mailing list