I need help with a very tricky problem

[Doug Poulin]

I need to figure out how to log a user off our web site and ensure that they re-authenticate the next time they hit our site.   On the surface this seems like a very simple problem but it is not.  Here is what happens.   A user logs on to our site using modauth, from an IE5 browser.  They do a bunch of things and then they go off to some other URL, or for a coffee.  If they don't close every single browser window then they remain authenticated to our site FOREVER!  They (or anyone else sharing the same PC) can return to our site and they get access right away without any authentication.    We have hospitals using our site who have many staff sharing a PC, who each need to be able to sit down, look up some info, then log off without a lot of hassles.   Sending a 401 Unauthorized doesn't work because I can't tell the difference between someone legitimately logging in properly and one returning from a previous session.   There doesn't seem to be anything in the browser you can shut off, modify or otherwise fool.  CGI scripts come into play far too late since all of the authenticating (or non-authenticating) has already passed.  I tried looking at the SSL_SESSION_ID but it appears to be different for every single hit to our web site from the same PC and browser window.   My httpd.conf file is pretty much default.  SSLSessionCache is set to shm:/var/cache/ssl_scache(512000)                                                             SSLSessionCacheTimeout is set to 300   I can get back onto my site hours later (certainly more than 5 minutes) without re-authenticating.  Does anyone have any ideas where to go from here?  I'm really stumped...