how to disable a cookie, mine won't work!

[jackjake]

I'm building a database using mysql and perl. If a user provides correct login info, a cookie is set like this:

my $cookie = $q->cookie(-name =>"ggtUser", -value => $username);
print $q->redirect(-location=> "the url of the homepage here",
-cookie => $cookie);

Each pages in my database site checks the cookie and if it's not there, the user is redirected to the login page.

my $theCookie = $q->cookie('ggtUser');
if(not $theCookie) {
#code to redirect to login page here
}else{
#display the page
}

I want to set a logout button. when it's clicked, logout.cgi runs,
here is my logout.cgi:

#!/usr/bin/perl -w

use CGI qwstandard);

my $q=new CGI;

my $cookie = $q-cookie(-name ="ggtUser", -expires='-1h');

print $q-redirect(-location= "the url of the login page here",
-cookie = $cookie);

I set the time to a -1h, so the cookie will expire and even if
the user does not close the IE, he has to login again to enter the
database. but it does not work. after I click logout, if I paste the
URL of a page in my database into IE, it still opens. Does anyone know why my logout.cgi does not work?

Thanks for any help!

 

[jackjake]

Sorry, when I was editing this post, I accidently removed some '>', here is the correct logout.cgi

#!/usr/bin/perl -w

use CGI qwstandard);

my $q=new CGI;

my $cookie = $q->cookie(-name =>"ggtUser", -expires=>'-1h');
print $q->redirect(-location=> "the url of the login page here",
-cookie => $cookie);

please anyone tell me why it won't work

 

[icrf]

Is it a simple browser caching issue? Once you go to the protected page and try to refresh, does it still come up? If it thinks you're logged out after a refresh, then you just need to set some of the no-cache headers on the protected pages to get that the first time (but site load will increase).

Also, if there's some goofy time zone issue, maybe -1h isn't enough? I'm not sure what that's based off of, though I assume CGI.pm is using the local server date/time to create an absolute time to send to the client. If they have different idea of when "now" is, it may be safer to expire with a negative day isntead of an hour.

________________________________________
Andrew

I work for a gift card company!

 

[jackjake]

thanks for the help! but after I changed it to '-1d', it still won't work, and I clicked the refresh button, it still opens after logout

 

[icrf]

Hmm...does IE let you check the contents of the cookie's its storing for things like expirations dates? A good check would be to see if it's seeing that the cookie is expired and doing nothing about it, or not seeing it at all. Does the same thing happen in other browser, ala Firefox or Opera? They have good tools to check things like that.

Also, does the login/logout pages and the home/protected pages differ by domain name? Cookies are associated with domains, though browsers may accept cookies from a slightly different domain (like a sub-domain) but not be able to change those cookie without an explicit match of domain.

________________________________________
Andrew

I work for a gift card company!

 

[jackjake]

thanks, andrew! I'll see if I can check the cookies in IE