Hi Kite, Thanks for your explanation, but I don't think it's right: The session is also cookie based and the session cookie lifetime could be set to persist after the browser window is closed (using the php function session_set_cookie_params), depending on the checkbox status of the login form. Cookies always expire at a fixed date (http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_attributes). It is true that the cookie lifetime is regenerated at every page request in auth_login. But the lifetime of session cookie could also be re-set. I think there is another explanation for the use of a separate cookie. Gabriel _____ Von: dokuwiki-bounce@xxxxxxxxxxxxx [mailto:dokuwiki-bounce@xxxxxxxxxxxxx] Im Auftrag von Kite Gesendet: Mittwoch, 5. Dezember 2007 17:17 An: dokuwiki@xxxxxxxxxxxxx Betreff: [dokuwiki] Re: Why is the auth system cookie-based? Hi Gabriel, It seems obvious to me that it is because a cookie persists longer than a session; closing the window does not force you to log back in ... once you're logged in, you're connected as long as you have your cookie. If I'm not mistaken, the cookie is refreshed with every page view, so its cache timeout is always taken from the last page viewed rather than the first. I guess the question you haven't reached yet is do you want the wikis on your server to all use the same salt value so that a user can log into any wiki where his user name and password are the set to the same value. Then your users could roam freely within your websites/wikis. Since the Salt is stored as a file, you could copy it between sites ... I'm not sure how you would or if you could regenerate the password file with a new salt. Kite Gabriel Birke <Gabriel.Birke@xxxxxxxxx> wrote: Hello, today I figured out why users are logged out when you have two wikis on the smae server that share their session cookie: It was because the salt for encrypting the password was different in the two wiki instances. After copying data/meta_htcookiesalt from one instance to the other, everything works fine now. However, I can't figure out why the code in auth_login is implemented the way it is implemented. As far as I understand, the cookie data (username and password) is "cached" in the session, after the cache expires (the cache lifetime is stored in $conf['auth_security_timeout']) the cookie data is sent to the auth class. But why store the data in the cookie at all? Wouldn't a session suffice? The code is very clever, I understand what it does, but I don't understand the reason behind it. Can anyone explain? Greetings, Gabriel -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist _____ Looking for last minute shopping deals? Find <http://us.rd.yahoo.com/evt=51734/*http://tools.search.yahoo.com/newsearch/c ategory.php?category=shopping> them fast with Yahoo! Search.