> Can you please enlighten me about the purpose of regularly changing > Hcook and Lcook? Is it because you want to restrict the session > length? Sorry for coming back to this so late, but I have been traveling too much in the past days. The purpose of changing Hcook and Lcook is to only request authentication when strictlly necessary and avoid unauthorized access by cookie copying. If you just use a single non-persistent cookie, the user has to re-authenticate whenever (s)he starts the browser. To avoid this, Hcook is a persistent cookie. But then cookie copying may grant access to several users at the same time. There is a registry at the PoA of the active and valid Hcooks, associated with a nonce that is included in the cookie itself. This way, if a user copies the cookie to a second one, is not also providing acces rights to this other user, but *transferring* them. So to say, the change of the cookies make them unique access tokens (and they work behind proxies, firewalls, NATs and all this kind of funny stuff). Best regards, -- "Esta vez no fallaremos, Doctor Infierno" Diego R. Lopez [log in para visualizar] RedIRIS The Spanish NREN Tel: +34 955 056 621 Mobile: +34 669 898 094 -----------------------------------------