> It's #5 that's troublesome. I wasn't sure how I could expire the older > session (since the session key that matters is sitting client side). I > guess I could keep a table of invalidated session keys, and check > against that every time in along with all the other checks going on in > authen_ses_key(). I was just mainly asking if there was an existing > solution out there.
I'm not sure I follow your session id problem. When I check a session, I ask the client for it's ID, then look the session up by ID. To 'expire' the session, I simply delete it from the session store (File or Postgres). Cory 'G' Watson
