1) I'm pretty sure that youre right -- SecurePage doesn't handle POST
properly. It needs to encode the posted variables into hidden fields in the
login form, but it doesn't. Patches welcome.
2) If you use your browser's BACK button to go back to the login form, then
re-post the user name and password, it will always fail to log you in. This
is by design. A unique random ID (I think it's called "loginid") is
generated in a hidden variable in the login form and also saved in the
session, then it is only allowed to be used once after which it is erased
from the session. I put this in for security reasons, so somebody couldn't
log out, then have some nefarious individual go up to their machine and use
the BACK button to go back to the login page, re-POST it, and therefore get
logged back in without having to know the user name and password.
Maybe step 2 above is unnecessary paranoia -- any thoughts?
> -----Original Message-----
> From: Steve Freitas [mailto:sflist@...]
> Sent: Wednesday, June 12, 2002 3:17 AM
> To: Webware Discuss
> Subject: [Webware-discuss] Re: Session glitches with actions under
> Just a quick followup. I noticed it did it again, this time when an
> exception was thrown inside a try-catch block in Page 2.
> If it matters, the exception was smtplib.SMTPRecipientsRefused.
> So instead of logging in, I hit the Back button, which
> brought me back to
> Page 1. Then I hit Reload, and it demanded a login.
> So, at the very least, something about exceptions is invalidating my
> session, I believe. In fact, I remember increased frequency
> of this behavior
> when I was writing exception handling for code using the
> MySQLdb module.
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> Webware-discuss mailing list