Thanks for your answer,but I am not very clear about the severity of consequence if no login ticket.Can give me a example? Thanks again!
Best regards On Sat, Mar 10, 2012 at 5:57 PM, jleleu <[email protected]> wrote: > Hi, > > I agree with you : https should prevent replay attacks but I'm not sure > that all browsers (and particularly old browsers) handle this in a correct > way. I wouldn't be surprised to find a browser or a certain use case which, > after explicit login and logout, proposes me to "repost my form" (my > credentials !) if I go back in history. > Adding a login ticket to the login phase forces the user to log within a > certain delay and after browsing a valid login page. I think it boosts > security in many cases, not only to prevent replay attacks. > > Best regards, > Jérôme > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
