We're running Apache 1.3.29 and we have an application we are providing on
our intranet at kiosks. The application is accessed from a browser window
launched from our main window.
Here's the problem, if someone logs out from the application window, but
leaves the main window open, (our intranet page), then the next user can
click the link and instantly be logged in as the last user. The only way to
completely log out is to close ALL browser windows.
Where is the memory of who was logged in kept? On the server or the client?
How can we force a logout from the application window to be recognized to
all windows on the client workstation?
Thanks.

[ Post a follow-up to this message ]

On Tue, 26 Oct 2004 11:18:59 -0400, Dale DeRemer
<dderemer_nospam@agmc.org> wrote:

> We're running Apache 1.3.29 and we have an application we are providing
> on
> our intranet at kiosks. The application is accessed from a browser window
> launched from our main window.
> Here's the problem, if someone logs out from the application window, but
> leaves the main window open, (our intranet page), then the next user can
> click the link and instantly be logged in as the last user. The only way
> to
> completely log out is to close ALL browser windows.
> Where is the memory of who was logged in kept? On the server or the
> client?
> How can we force a logout from the application window to be recognized to
> all windows on the client workstation?
> Thanks.
>
Most systems track looged status via a sessionid cookie stored on the
client (matching copy stored in some database on the server).
What I would do is
1) make sure I'm using a browser with proper kiosk support like opera.
2) disable all "normal" means of closing windows (e.g. run in fullscreen
mode, no gestures, disable appropriate keyboard shortcuts)
3) provide a log/out/close/finish link that is scripted to clear the
cookie before it closes the window.
4) force a new sessionid when they click the launching link.



--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

[ Post a follow-up to this message ]

On Wed, 27 Oct 2004 07:30:13 +1300, Richard Grevers
<newsreply4@dramatic.co.nz.invalid> wrote:

> On Tue, 26 Oct 2004 11:18:59 -0400, Dale DeRemer
> <dderemer_nospam@agmc.org> wrote:
> 
> Most systems track looged status via a sessionid cookie stored on the
> client (matching copy stored in some database on the server).
> What I would do is
> 1) make sure I'm using a browser with proper kiosk support like opera.
> 2) disable all "normal" means of closing windows (e.g. run in fullscreen
> mode, no gestures, disable appropriate keyboard shortcuts)
> 3) provide a log/out/close/finish link that is scripted to clear the
> cookie before it closes the window.
> 4) force a new sessionid when they click the launching link.
>
BTW if you are using httpd logins, what I said won't apply. they do indeed
stick around for the entire browser sesion. I've been asking opera to
implement a means of zapping these.

--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

[ Post a follow-up to this message ]