Hi all,

And just to follow up on that, you should always serve your login page under
SSL as otherwise the "bad guys" can change the FORM action parameter and use it
to grab your usernames and passwords.

So, the initial GET to grab the login page can trigger the http->https
redirect rather than doing it under the POST of the FORM.  Which is the
best course of action anyway.

Cheers,
	-- jon

Daniel Brown wrote:
This was news to me too. But, from the horse's mouth:

RFC 2616                        HTTP/1.1                       June 1999


   If the 302 status code is received in response to a request other
   than GET or HEAD, the user agent MUST NOT automatically redirect the
   request unless it can be confirmed by the user, since this might
   change the conditions under which the request was issued.
[ snip ]

--
Jon Eaves <[EMAIL PROTECTED]>
http://www.eaves.org/jon


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to