AuthCookie problem ?

[Si...@williamslea.com]

Hi all,

      Environment is :

      Randy Kobe's WinNT binary (0.6) - apache (1.3.12), mod-perl (1.23), Perl
      5.6.0 & mod_ssl (2.6.3-1.3.12) / OpenSSL (0.9.5a)
      Apache::AuthCookie 2.11
      Apache::Session 1.51

      Setup:

      AuthCookie handles in-browser authentication.
      Session is used to store the username and other details and the session
      key is passed to AuthCookie to send back to the browser

      When a protected page is requested, authen_ses_key uses the cookie to
      recover the session & extract the username which is passed back to
      authcookie.

      When a user logs out, the session is deleted, authcookie's logout method
      is called and then an internal redirect happens to a simple "you have
      logged out" page.

      Problem :

      Using IE, once logged out I can enter a url of a previously visited page
      and display it (Apache logs show nothing so I assume IE is caching it
      client side).
      When I click on, even to another visited page, the login dialog is
      displayed.
      The logs show that IE presents the session key which should have been
      deleted by the log out method. It fails (the session has been deleted) and
      forces a re-logon.

      Questions :

      Am I doing something wrong when I log people out that allows this
      behaviour (doesn't seem to happen in NetScape) ?
      Slightly OT - Anyone know why IE appears to be caching stuff it shouldn't
      ?

      All help greatly appreciated !

      Simon Wilcox
      Intranet Development Manager