On Thursday 30 June 2005 03:59, Bas Scheffers wrote: > But what if the user never comes back? The thing would sit there forever. > I would also plan to set the cookie to expire to a little after (their PC > clock may be off!) what the session timeout is, so the cookie would not be > sent at all anymore if your session timeout is 30 mins and they come back > after an hour. This would mean re-sending the cookie on every request, of > course.
The server has to have an independent method of maintaining and verifying the session timeout; store it in the session. You also need to re-send the session cookie on each request to update the timeout on the user end. Your initial nscookie.c sends the Set-Cookie header as Cookie, which doesn't actually set the cookie on the client. There is also a new Set-Cookie2 header with new requirements for reading and sending cookies. Also, if you follow the RFC's, note that the old (up to 4 months ago) Mozilla codebase screws up on quoted values for Max-Age and Path components. It includes the quotes in the path value, and doesn't understand the quoted integer and so downgrades the cookie to a session cookie. tom jackson -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
