Peter,
> 2) that depends. First, for some reasons, Internet is designed without > "Logout". Many seldom logout from those services such as Yahoo mail, and me > too. For the specific question you posted (one login only for an account), > while it can be in principle designed and implemented, in practice, it may > not work that smoothly, because many users still don't run "Logout". Trust > me :-). So BA or cookie doesn't matter. Second, you can make a link to > close the window using javascript, just like a "Logout" button. Well that's kind of why I'm here in the first place...looking for a real solution to users who don't log out. I'd rather force logout their old sessions rather than just resign to the fact that user's habits make logouts unpredictable. It's not acceptable for our application's purposes to just leave active sessions open if it's at all possible to avoid. > 3) will be very interesting to hear about your successful implementation! I would have been done yesterday had I not made a bonehead mistake and deleted a very important database table. I'm still recovering from that mistake. :-( Hopefully, I'll be able to tell you all about the successful implementation early next week. > (BTW, if only the "existence" status of an account is needed to double > check, please consider a lock file (e.g. -e) under Apache::File that may be > much faster than to call SessionDBI) I'm not too worried about performance...only about 100 users will ever have an account on this system, a fraction of them actively using the app at any one time. But I'm not using the DBI for this part anyhow. I'm using Apache::Session::File, more or less (really using Flex but only overridding the Generate method). The only time I hit the database is to check that the user/password are valid and get user preferences when they submit the login form. The lock file actually isn't a workable solution, now that I think about it. Just knowing a user has logged in and not logged out does me no good, I need to know if they have other valid session keys still in existence so I can expire them. A lock file could lead to false positives - if the key expired but they haven't visited again or explicitly logged out since, it'll be there but the user really doesn't have any active sessions. I still think Jeff's post yesterday suggesting I store the AuthCookie key in the Apache::Session data is the answer. Thanks for the dialog, I'll post the final results. -Fran