Hi all, And just to follow up on that, you should always serve your login page under SSL as otherwise the "bad guys" can change the FORM action parameter and use it to grab your usernames and passwords.
So, the initial GET to grab the login page can trigger the http->https redirect rather than doing it under the POST of the FORM. Which is the best course of action anyway. Cheers, -- jon Daniel Brown wrote:
This was news to me too. But, from the horse's mouth: RFC 2616 HTTP/1.1 June 1999 If the 302 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.
[ snip ] -- Jon Eaves <[EMAIL PROTECTED]> http://www.eaves.org/jon --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
