On Sat, Sep 19, 2009 at 11:43 AM, Tina Müller <apa...@s05.tinita.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Fri, 18 Sep 2009, Igor Chudov wrote: > > On Fri, Sep 18, 2009 at 10:13 AM, Tina Mueller <apa...@s05.tinita.de> >> wrote: >> >> > How does the user invalidate that "session"? (in case the cookie leaked >> > or something like that). Or how can the website owner log out a certain >> > user? >> > >> >> Same way you do with a table: when the user logs out, you update their >> cookie to a new one, where "userid" is not set. >> > > That doesn't invalidate the cookie. > It resets the cookie in the browser, but the string itself is still a valid > session and can be reused. > That's why you have an expires time in the cookie data. Each request you check and extend. Then if you see one that's past the expires time you require authentication again. "Logged out" is a fuzzy concept. If it means the user must provide credentials again then you flag logged out in the cookie and then it will appear to the user that they are logged out. Sure, if they copy the cookie some place, log out, then they can use the cookie again seemingly w/o logging in. But it's just an appearance. Logging in just means you have provided the credentials and given them a tempoary token (the cookie) that says they don't need to re-authenticate every request. It's a free pass for the time allowed (regardless of the log out). If you have much more stict business needs around "logging out" or a way to imeadiately disable a user then you need to track that elsewhere -- set a flag in memcached or use the db. > Since there is nothing stored about it server side the server just gets > the session string from the client and doesn't care (doesn't know) if > any browser "logged out". > > And storing the IP in the session wouldn't work for users that get a > new IP very often. On the other hand, several users might have the > same IP in the view of the server. Right, IPs are not much good. I use them sometimes to force a captcha if too many failed logins come from the same IP. -- Bill Moseley mose...@hank.org
