|
|
> Nicolas Alvarez wrote:
>> Session usually expires server-side at the same time as the
>> client-side cookie. There are no sessions with HTTP auth, nothing you
>> can expire.
>
> Of course there is. You're just not thinking. The server knows how long
> it has been since last you came back. After that time elapses, clean up
> whatever you'd clean up if the user hit the "logout" button.
>
> In other words, no, cookies do not "expire" on the server side, since
> the server doesn't have a cookie. A cookie is a way for the server to
> store something at the browser. The "something" is what expires. Hence,
> go ahead, expire that "something".
With cookie-based login, the "something" to expire is the session ID
kept in the cookie. Even if the client doesn't expire the cookie, the
server wouldn't accept the session ID anymore once it expires.
With HTTP auth, the "something" that the client sends is the user
credentials. Should I expire the user's password?
Anyway, just Google "http auth logout" [1] and see how many people
complain about it. *Sometimes* even people who know what they're talking
about :)
[1] or "http (auth|authentication) (logout|log out)" so that you don't
miss anything.
Post a reply to this message
|
|