Randall Randall [mailto:[EMAIL PROTECTED]] wrote: > > I have never understood where session.value('loginid') is being set, > > why it is being deleted if it exists, why the incoming id must match > > the old value, and what is the benefit of doing request.delField(...). > > loginid is set in login.py, another Example page. The answers to the > others aren't clear to me, except that perhaps it is supposed to be a > defense against replay attacks.
That's the idea. In other words, if you use the browser's "back" button after logging out to go back to the login page, then you hit the "forward" button to re-post the login, it won't work the second time. That's why we put in the one-time loginid and make sure to get rid of it right away. - Geoff ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
