12 May 2000 21:04:56 +0200
> you used 2 test cookies in your example, but i'm not sure if that's
It is once others beside me get a user database :), because then they
will have cross-list authentication using a single cookie. In that
scenario it would be a shame if the test cookie overwrote a valid
authentication cookie for some other list.
> also, AFIAK, deleting a cookie can be done by re-setting it with an
> empty value (though i believe there are some old versions of either
> IE or Netscape which have a bug with this feature)
I'd prefer to go with the method described in RFC 2109:
4.2.2 Set-Cookie Syntax
Optional. The Max-Age attribute defines the lifetime of the
cookie, in seconds. The delta-seconds value is a decimal non-
negative integer. After delta-seconds seconds elapse, the client
should discard the cookie. A value of zero means the cookie
should be discarded immediately.
> > Of course, if there are any (major) browsers in use out there that
> > doesn't understand Max-Age, it would be a bad idea to change Mailman.
> this is the first time I've heard about Max-Age
RFC 2109 is dated February 1997, and one of it's authors was a
Netscape employee. I'll try issuing Cookies with Max-Age instead of
Expires for our own users, and let you know how it goes >-)