Christoph Zwerschke wrote: > If I understand correctly, the login id is used to ensure nobody can > circumvent the login page (e.h. by providing user and password > directly > as parameters in the URL). So I left the login id mechanism in the > code, but changed it so that no new login id is created if there is > already > one in the current session. I have checked that in already. The > Example > and Admin pages are not really important, but intended to give people > an idea how things should be done; so they should do it correctly.
I think the original reason for loginid was: suppose someone logs in, then leaves their browser open for a while. Their session expires. Now suppose someone else comes up to the browser, uses the Back button to go back to the login screen, and then presses Forward to re-post the username and password. The loginid is supposed to prevent this from working. (I'm not sure if any modern browsers will re-post a password like that, but I'm thinking that maybe an old browser like Netscape 4 or an older IE might have been vulnerable to this sort of thing.) As long as your newly modified code deletes the loginid as soon as it is used for a login, then it's fine. - Geoff ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Webware-discuss mailing list Webware-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/webware-discuss
