invalidation of a cookie

[jimfog]

I read this tutorial here: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/ If I understood correctly, the moment the user is authenticated(after returning the site), is the moment we create a brand new cookie. That means a new cookie every time the user returns to the site. Why do we do that, for security reasons?

[jimfog]

I read this tutorial here: http://fishbowl.past..._best_practice/ If I understood correctly, the moment the user is authenticated(after returning the site), is the moment we create a brand new cookie. That means a new cookie every time the user returns to the site. Why do we do that, for security reasons?

By the way, this forum here, does not create a new cookie every time a visitor returns.

[justsomeguy]

Yes, it's for security reasons. The old cookie is no longer valid.

By the way, this forum here, does not create a new cookie every time a visitor returns.

Nobody's perfect.

[jimfog]

Ok...I will invalidate the old cookie...by just setting its expiration date in the past? Does the cookie invalidation process includes anything else-any db action maybe?

[justsomeguy]

You don't have to change the cookies. When you change the token in the database for the new cookie then the cookies with old tokens will no longer work.