On 09/18/2009 12:57 PM, Randal L. Schwartz wrote:
The problem with that is public web browsers. You *cannot* ensure the expiration of an auth cookie, so you'll have to have some sort of server-side data to say "this user most recently authenticated at this time, so I still trust him".
Why does this have to be server side? Why can't it be part of the cookie's (tamper proof) data itself?
-- Michael Peters Plus Three, LP
