When a user requests a logout, the 'maxAge' of the cookie is set to 0, which will tell the browser to delete it.
However, when a cookie was stolen, this stolen cookie still exists, and can still be used to log in. After all, the cookie contains all the information needed for logging in, no additional information is needed at all. But maybe I'm looking for a problem that doesn't exist? ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3060328
