Thanks for reading this issue and commenting on it. The links that you provided are useful, but I'm not sure if they would solve my problem. I believe that the fundamental problem is that the browser stores the post data information. It shouldn't do this. Even if I use cookies to store the session information, I would still have this problem. For example: The login page is an HTML form. When I get the login information from the form, my perl script will generate a session id. Let's say that I store this information in a cookie. If the user logs out, I delete the cookie. However, if the user now clicks the "back" button, the browser would re-send the login username/password without prompting the user for login information (security hole!). My perl script would then generate a session id.

I know that login forms are used in various websites. I'm not sure how they solve this problem or if this is simply my own implementation issue. The wealth of information in the web on session tracking is dizzying, and it's confusing about what really works and what doesn't.

Monica