This is a fundamental flaw of the method you have chosen to authenticate people. If you are 'very new' to web programming, you should really use an existing authentication package, rather than try to reinvent a wheel you aren't qualified to reinvent. (Not trying to knock you, just saying that security is important enough that you should have some experience before you try and create your own.

For some existing authentication implementations similar to what you are attempting, take a look at Apache::AuthCookieURL, Apache::MultiAuth, CGI::kSession, Apache::AuthPAM, or CGI::Session.

Thanks for reading this issue and commenting on it. The links that you provided are useful, but I'm not sure if they would solve my problem. I believe that the fundamental problem is that the browser stores the post data information. It shouldn't do this. Even if I use cookies to store the session information, I would still have this problem. For example: The login page is an HTML form. When I get the login information from the form, my perl script will generate a session id. Let's say that I store this information in a cookie. If the user logs out, I delete the cookie. However, if the user now clicks the "back" button, the browser would re-send the login username/password without prompting the user for login information (security hole!). My perl script would then generate a session id.

I know that login forms are used in various websites. I'm not sure how they solve this problem or if this is simply my own implementation issue. The wealth of information in the web on session tracking is dizzying, and it's confusing about what really works and what doesn't.

Monica

Makeshifts last the longest.

This is with mod_perl on apache - is there a way I can control the "expiration" of a webpage from the server side?