On Thu, 2002-10-10 at 17:50, Bryan Mongeau wrote:
> I just started using webware and am wondering what the importance of the
> loginid hidden variable in the SecurePage example.
> In the LoginPage, a loginid is created and embedded:
> # Create a "unique" login id and put it in the form as well as in the session.
> # Login will only be allowed if they match.
> loginid = uniqueId(self)
> self.session().setValue('loginid', loginid)
> self.writeln('<input type="hidden" name="loginid" value="%s">' % loginid)
> The hidden loginid later gets checked against the loginid in the session, with
> authentication failing if they do not match. Could someone enlighten me as to
> why anyone would need do this and what it protects against?
It's for if someone logs out and doesn't close the browser. Another
person could come along, hit back until they get to the login form, and
resubmit it. Then they'd be logged in. But the loginid forces them to
reload the page to get another copy of a valid form, and then they'll
lose the password.