Christoph Zwerschke wrote:
> If I understand correctly, the login id is used to ensure nobody can
> circumvent the login page (e.h. by providing user and password
> as parameters in the URL). So I left the login id mechanism in the
> code, but changed it so that no new login id is created if there is
> one in the current session. I have checked that in already. The
> and Admin pages are not really important, but intended to give people
> an idea how things should be done; so they should do it correctly.
I think the original reason for loginid was: suppose someone logs in, then
leaves their browser open for a while. Their session expires. Now suppose
someone else comes up to the browser, uses the Back button to go back to the
login screen, and then presses Forward to re-post the username and password.
The loginid is supposed to prevent this from working. (I'm not sure if any
modern browsers will re-post a password like that, but I'm thinking that
maybe an old browser like Netscape 4 or an older IE might have been
vulnerable to this sort of thing.)
As long as your newly modified code deletes the loginid as soon as it is
used for a login, then it's fine.