Hi all,
Environment is :
Randy Kobe's WinNT binary (0.6) - apache (1.3.12), mod-perl (1.23), Perl
5.6.0 & mod_ssl (2.6.3-1.3.12) / OpenSSL (0.9.5a)
Apache::AuthCookie 2.11
Apache::Session 1.51
Setup:
AuthCookie handles in-browser authentication.
Session is used to store the username and other details and the session
key is passed to AuthCookie to send back to the browser
When a protected page is requested, authen_ses_key uses the cookie to
recover the session & extract the username which is passed back to
authcookie.
When a user logs out, the session is deleted, authcookie's logout method
is called and then an internal redirect happens to a simple "you have
logged out" page.
Problem :
Using IE, once logged out I can enter a url of a previously visited page
and display it (Apache logs show nothing so I assume IE is caching it
client side).
When I click on, even to another visited page, the login dialog is
displayed.
The logs show that IE presents the session key which should have been
deleted by the log out method. It fails (the session has been deleted) and
forces a re-logon.
Questions :
Am I doing something wrong when I log people out that allows this
behaviour (doesn't seem to happen in NetScape) ?
Slightly OT - Anyone know why IE appears to be caching stuff it shouldn't
?
All help greatly appreciated !
Simon Wilcox
Intranet Development Manager
