On 25 Nov 2013, at 7:30 PM, Thomas Eckert <[email protected]> wrote:
> > If I have misunderstood, and you simply want all the old cookies > > ignored and/or removed, then just list the new key by itself, the old > >cookies will not be considered at all - I'm not sure if the invalid > > cookie is deleted or not.. > > That's *exactly* what I want: get rid of the old cookies, encrypted with the > old key. And that's also exactly what's not working, see my first message in > this thread. There appears an endless loop from the authentication form to > the authentication form on cookie decryption failure. Can you be more specific about what is flowing in and out of the server? I take it an encrypted cookie comes in that the server cannot decrypt, the response is… what? 401 Unauthorised? 302 Temporary Redirect? And on that response, what is the value of the cookie being set (assuming the cookie is being set at all?). Regards, Graham --
