Webware for Python

Christoph Zwerschke wrote:
> If I understand correctly, the login id is used to ensure nobody can
> circumvent the login page (e.h. by providing user and password
> directly 
> as parameters in the URL). So I left the login id mechanism in the
> code, but changed it so that no new login id is created if there is
> already 
> one in the current session. I have checked that in already. The
> Example 
> and Admin pages are not really important, but intended to give people
> an idea how things should be done; so they should do it correctly.

I think the original reason for loginid was: suppose someone logs in, then
leaves their browser open for a while.  Their session expires.  Now suppose
someone else comes up to the browser, uses the Back button to go back to the
login screen, and then presses Forward to re-post the username and password.
The loginid is supposed to prevent this from working.  (I'm not sure if any
modern browsers will re-post a password like that, but I'm thinking that
maybe an old browser like Netscape 4 or an older IE might have been
vulnerable to this sort of thing.)

As long as your newly modified code deletes the loginid as soon as it is
used for a login, then it's fine.

- Geoff

Re: [Webware-discuss] Admin password rejected From: Christoph Zwerschke <cito@on...> - 2006-01-13 17:00 Geoffrey Talvola wrote: > I think the original reason for loginid was: suppose someone logs in, then > leaves their browser open for a while. Their session expires. Now suppose > someone else comes up to the browser, uses the Back button to go back to the > login screen, and then presses Forward to re-post the username and password. > The loginid is supposed to prevent this from working. Ok. There are other scenarios as well where you want things to happen only one time (for instance, database transactions). I wonder whether Webware could provide some methods to do this transparently so you don't have to invent and code this kind of things again and again. > As long as your newly modified code deletes the loginid as soon as it is > used for a login, then it's fine. Yes. The code still immediately clears the whole session after reading the login id. You can use it only one time. -- Christoph

RE: [Webware-discuss] Admin password rejected From: Geoffrey Talvola <GTalvola@Pa...> - 2006-01-13 17:32 Christoph Zwerschke wrote: > Geoffrey Talvola wrote: >> I think the original reason for loginid was: suppose someone logs >> in, then leaves their browser open for a while. Their session >> expires. Now suppose someone else comes up to the browser, uses the >> Back button to go back to the login screen, and then presses Forward >> to re-post the username and password. The loginid is supposed to >> prevent this from working. A common scenario where things can get posted more than once is if the user uses the Back button to go back to a page that was a result of a post, and then presses the Refresh button. The browser will put up a popup offering to re-post the variables. If you don't want that to happen, you can have the servlet that handles the post do a redirect. This seems to prevent the browser from ever re-posting the form -- instead, pressing the Refresh button will re-get the page that was redirected to. > Ok. There are other scenarios as well where you want things to happen > only one time (for instance, database transactions). I wonder whether > Webware could provide some methods to do this transparently so you > don't have to invent and code this kind of things again and again. Seems like a good idea. - Geoff

1 message has been excluded from this view by a project administrator.