You can always have the Verifier treat cookies with creation times too far in the past as stale. A legitimate client will be able to provide the credentials again; an impostor with a stolen cookie won't.
--tim On Fri, Jul 12, 2013 at 6:01 AM, Johanneke Lamberink <jtlamber...@gmail.com>wrote: > When a user requests a logout, the 'maxAge' of the cookie is set to 0, > which will tell the browser to delete it. > > However, when a cookie was stolen, this stolen cookie still exists, and > can still be used to log in. After all, the cookie contains all the > information needed for logging in, no additional information is needed at > all. > > > But maybe I'm looking for a problem that doesn't exist? > > ------------------------------------------------------ > > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3060328 > ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3060331