in reply to Loging a user out with CGI and Cookies?

I believe your problem is that you're trying to pass a cookie header at the same time as a redirect header. AFAIK that's a no-no: If a browser receives a "redirect" http header that's all that's processed, you don't get to pass any bonus information like cookie headers and such.

The solution is to recode your CGI to display a "you are logged out" message (which is good form anyway) instead of a redirect. Then you CAN pass the cookie, and all will be right with the world.

Gary Blackburn
Trained Killer

  • Comment on Re: Loging a user out with CGI and Cookies?

Replies are listed 'Best First'.
Re: Re: Loging a user out with CGI and Cookies?
by dvergin (Monsignor) on Apr 16, 2001 at 03:13 UTC
    Trimbach, you may be half right. But it is possible to accomplish this without a two-step process.

    First, the browser can indeed handle the cookie header and the "Location: ..." header line in the same server response. The Location line must come last and it must end with two new-lines.

    But I can find no indication in my quick re-visiting of the docs that the CGI redirect function allows the specification of a cookie along with the redirect. (Update: but see the following response by athomason.) And the CGI pod says don't print a header along with a redirect.

    So I accomplish this manually:

    print "Set-Cookie: $usr=x;expires=-1d\n"; print "Location:\n\n";
    There may be a gotcha here but I haven't run into it.

    BTW, are you sure that $in{usr} and $usr have the same value? That would, of course, be crucial to what you are trying to do.

      As dvergin points out, browsers are perfectly capable of handling cookies sent with redirects. Fortunately, also supports it, though you have to dig a bit to be sure. The CGI pod indeed does not mention such a procedure, but it is supported. Browsing the code of the redirect sub in you can see:
      #### Method: redirect # Return a Location: style header # #### 'redirect' => <<'END_OF_FUNC', sub redirect { my($self,@p) = self_or_default(@_); my($url,$target,$cookie,$nph,@other) = $self->rearrange([[LOCATION +,URI,URL],TARGET,COOKIE,NPH],@p); $url = $url || $self->self_url; my(@o); foreach (@other) { tr/\"//d; push(@o,split("=",$_,2)); } unshift(@o, '-Status'=>'302 Moved', '-Location'=>$url, '-nph'=>$nph); unshift(@o,'-Target'=>$target) if $target; unshift(@o,'-Cookie'=>$cookie) if $cookie; unshift(@o,'-Type'=>''); return $self->header(@o); }

      Note in particular the -Cookie bit. And nicely enough, this actually works as intended. I've used bits like the following successfully:

      $cookie = cookie( -name => $COOKIE_NAME, -value => $session_key, -expires => $COOKIE_EXPIRE, -path => $SCRIPT_PATH, -domain => $SCRIPT_DOMAIN, -secure => 0 ); ... print redirect( -uri => 'view.cgi', -cookie => $cookie );

      I admit I'm not sure why OP's bit fails. r.jospeh, take a look at the cookie files for the site you're connecting to in order to make sure they're correct. Offhand, I'd suspect (like dvergin) a difference in $in{usr} and $usr is the problem. If not, you could set up a dirty HTTP server (with HTTP::Daemon, for instance) to see what's going on with your logout cookie.