On 02/20/2013 12:00 PM, Jenny Martin wrote: > It looks like the session is not invalidated on logout. The cookie is > still valid in my browser, and the corresponding session is still > present in session-data.
The cookie being valid doesn't matter. What matters is that RT invalidates the session on the server-side, so it can't be reused. > I attach an http trace and you can see that the logout response > explicitly sets the old cookie. I have disabled mod_cache and > mod_disk_cache. No web proxies in use. Thank you for the trace. Please send your Apache config as well, and keep replies on list for posterity. Do you have any local customizations to RT? -- RT training in Amsterdam, March 20-21: http://bestpractical.com/services/training.html Help improve RT by taking our user survey: https://www.surveymonkey.com/s/N23JW9T
