On Tuesday February 19, 2002 03:04 pm, John Smith wrote:
> I'm trying to understand the mechanism of password
> secured pages as implemented in the SecurePage.py
> example (Webware 0.6.1b1).
> The purpose of the `loginid' field in these pages is not
> clear. Is it to provide some kind of extra security?
> Or does the basic functionality itself depend on it in
> some way?
> A bit of explanation would be highly welcome!
It's only there to provide a bit of extra security -- the basic functionality
doesn't need the loginid.
Specifically, it prevents someone who has already logged out from using the
browser's Back button to go back to the login page, then click the Forward
button to re-post the form and log in again without having to re-enter the
password. (I have no idea if browsers would actually allow that in practice.)