POV-Ray: Newsgroups: povray.off-topic: As if we didn't have enough to worry about...: Re: As if we didn't have enough to worry about...

POV-Ray : Newsgroups : povray.off-topic : As if we didn't have enough to worry about... : Re: As if we didn't have enough to worry about...		Server Time 1 Oct 2024 18:29:25 EDT (-0400)

From: Nicolas Alvarez
Date: 4 Apr 2008 19:56:23
Message: <47f6ce37@news.povray.org>

> Nicolas Alvarez wrote:
>> Session usually expires server-side at the same time as the 
>> client-side cookie. There are no sessions with HTTP auth, nothing you 
>> can expire.
> 
> Of course there is. You're just not thinking.  The server knows how long 
> it has been since last you came back.  After that time elapses, clean up 
> whatever you'd clean up if the user hit the "logout" button.
> 
> In other words, no, cookies do not "expire" on the server side, since 
> the server doesn't have a cookie. A cookie is a way for the server to 
> store something at the browser. The "something" is what expires. Hence, 
> go ahead, expire that "something".

With cookie-based login, the "something" to expire is the session ID 
kept in the cookie. Even if the client doesn't expire the cookie, the 
server wouldn't accept the session ID anymore once it expires.

With HTTP auth, the "something" that the client sends is the user 
credentials. Should I expire the user's password?

Anyway, just Google "http auth logout" [1] and see how many people 
complain about it. *Sometimes* even people who know what they're talking 
about :)

[1] or "http (auth|authentication) (logout|log out)" so that you don't 
miss anything.

Post a reply to this message