Steve Freitas wrote: > > 1) I'm pretty sure that youre right -- SecurePage doesn't > handle POST > > properly. It needs to encode the posted variables into > hidden fields in the > > login form, but it doesn't. Patches welcome. > > Okay, that shouldn't be too hard. I'll whip something up. > > > 2) If you use your browser's BACK button to go back to the > login form, then > > re-post the user name and password, it will always fail to > log you in. This > > is by design. > > Well, I'm not using BACK to go clear back to the login form, > just to Page 1, > which I'd already logged into. Does your answer still apply here?
Yes, it also applies if you go back to the first page that you got to AFTER logging in and then re-POST. Because when you re-POST that page, you are supplying the login information again, which the SecurePage mechanism treats as a failed login. > > Maybe step 2 above is unnecessary paranoia -- any thoughts? > > "Unnecessary paranoia?" In computer security, there is no such thing. True. What I meant is, maybe it just appears to add extra security, but doesn't in fact really do so. - Geoff _______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
