On Wed, 10 Nov 2010 21:40:01 +0100, Bjoern Hoehrmann <derhoe...@gmx.net>
wrote:
You can expire the client-side part of the session without knowing which
session it is, so long as the browser reads the Set-Cookie header in the
response. You could simply respond with an expired Set-Cookie header to
any request without a Cookie header. The server-side part of the session
would remain active, of course, but that makes no difference to users.
Ah okay. So that would never work. As things tagged with "anonymous",
XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore
Set-Cookie headers.
--
Anne van Kesteren
http://annevankesteren.nl/
