Hello guys,I found the question interesting, and as I love to feel important:P I wrote a few lines.
Firstly, all our sessions are created only upon successful login. (the login page use a normal static form, with a direct action for the login)
Then, for the problem described, theoricaly speaking, there is no "secure" way of doing it, as the user will always have to send the info via the webbrowser.
But I think your question will remain in the "normal users" security, I mean people just hitting the back button and not knowing how to view browser cache and so on.
For this, we use a simple javascript code which does the following: - Open a new window. - Close login window. - Clear last history entry.Now, if you want a truely secure login, there is only 1 way I know, the third security credential. (RSA secure ID, phone call or simply a list of numbers on a paper, in sync with the server)
At last, you can also put some transparent security check like:- If reloging after a logout (less than 1h from same ip), you ask a second time for password.
- Do not allow 2 session with same username. - Do not allow 2 session with same ip.- Ask for password on sensitive tasks. (like deleting a file, deleting bunch of info, stoping the nuclear factory...:P ) - Put a javascript timer on page, this timer will call logout after x seconds.
Those are just some ideas, then you should do what meet your needs. Regards -- Kuon CEO - Goyman.com SA http://www.goyman.com/ "Computers should not stop working when the users' brain do."
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
