Lien Tan wrote:
Don't you form submit to validate login. It is certainly very weak in security. Use #server()# to capture the userid and keep it in %session.Data. Then a button when enter key is pressed or clicked on, use another #server()# to bring back the password and if validate ok, use server-redirect to the next page.
All these CSP features are very useful for data entry. I use them a lot.
Lien Application Developer Monic System
"Ralf Huwald" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
"Gertjan Klein" <[EMAIL PROTECTED]> schrieb im Newsbeitrag news:[EMAIL PROTECTED]
"Ralf Huwald" <[EMAIL PROTECTED]> wrote:
The disadvantage of this solution is, you have to click at the
LoginButton.
In a Submit-Form you just need to press ENTER. So i'd prefer the other version (which still is not working).
Why don't you just simply submit to login.csp? Check the login there (in OnPreHTTP), and if OK, do either a server-side or a client-side redirect to main.csp. No need for #server()# either.
Gertjan,
You are right, i could check the login in OnPreHTP, but this would give a chance to anybody, to access my site with http://www.somewhere.com/csp/abc/Login.csp?User=aaa&Password=bbb... After enough tries, he may get successful. Maybe i am wrong, but i think this could happen.
When there is no OnPreHTTP, where the previously entered fields are validated, this "hack" would be more difficult. That's the reason of the <form ... onsubmit="return #server(..);">. Another advantage is, that the page will not reloaded, when the user entered a wrong password or
something
else is wrong.
By the way, the workaround with the second javascript function is working.
There's just one open question: what is the difference between false and %boolean(0)?
Ralf
Gertjan.
-- Gertjan Klein
