On Jan 8, 2008 1:46 AM, Robert Bradshaw <[EMAIL PROTECTED]> wrote: > Hey Alex,
Hi Robert, > I'm stumped by some of the twisted notebook code. Specifically, if > the login form is set to POST instead of GET it redirects login/ You are definitely going to want the login form to always be a POST not a GET, so that the credentials are sent as post-data, not as GET url parameters. > This > slash is particularly annoying. In what case is this causing a problem? > Is there any way to > > 1) have it not redirect to login/ the path 'login' is required to be there for the authentication to work (you could change it to some other name, but then you would have to change other code) > or 2) set the session cookie path (to '/') You can always set the cookie path to whatever you want when you initially send it (right after login) through the 'set-cookie' http header. > > > I bet you have similar issues knoboo. I have definitely made some improvements in Knoboo to the authentication code since it was first put into the Sage notebook. One major issue that still exists in the Sage notebook has to do with login and is *a security issue*: It is necessary to do a redirect after 'login' (which is a POST), to a GET such that the post-data is not stored in the browser. This is an important issue because *after logout the username/password remains in the browser* and all someone else has to do to login with the last person's credentials is to hit the back-button and then refresh the page. (Try it yourself) The solution to this problem is called the 'post-redirect-get method' (see google for more info) and besides be needed for security, I think it might solve the above problems that you are facing. Alex > > > Thanks, > - Robert > --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
