[ale] OT: How to serve a clean web logout?

John Mills johnmills at speakeasy.net
Tue Jan 30 11:41:24 EST 2007


Christopher and James -

Thanks for the help. I am using 'GoAhead's "embeddable" web server and
don't yet know well how to interact with its user management API. In
particular, the user apparently connected through an openSSL socket at
port 443, then tunneled to my CGI location if authorization is required
and satisfied. I guess a trip into GoAhead's websSSL and/or um* source is
in order.

 - Mills 

On Tue, 30 Jan 2007, cfowler wrote:

> On Tue, 2007-01-30 at 10:40 -0500, James Sumners wrote:
> > Usually you mark them as logged out in the session or just plain
> > delete the session. Your login script should be checking to see if
> > their session time has expired (if it does), if they are currently
> > logged in, and if they even have a session at all. 
> 
> correct.  One thing I do is give them an invalid cookie.  When your
> login page sees and invalid cookie it shows them the login page.
> Normally when my login page detects a valid cookie it does a 302
> redirect to the main page.  So the only way to get to the login page is
> to logout and get an invalid cookie.  All other pages validate the
> cookie and if it is wrong does a 302 redirect to the login page.





More information about the Ale mailing list