[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Server-Side State and Stateful Sessions
It guess it depends on the interpretation of "MUST invalidate session". One interpretation that I don't see a problem with is that you could remember the logout message and insure that any subsequent access by the cookie that corresponds to the session results in the session being invalidated, essentially a "delayed kill". I think "invalidate" has to be read in the context of what the implementation of the session is. If it's solely a cookie, then insuring the next access by that cookie does not resume the session constitutes invalidation. Of course, the motivation behind using only the cookie is avoiding shared state between the servers. And remembering the logout request requires shared state between the servers. I don't see any way around that. The problem is that not having the back-channel makes people nervous, as John K. noted. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]