#37 prevent resubmit already posted loginfor

open
nobody
None
5
2002-10-05
2002-10-05
No

This patches to loginform.ihtml and the validatelogin
in locval.inc prevent tte resubmission of a form
already submitted, thus prevents going back with the
browser back button and repost auth credentials when
authentication is expired

Discussion

  • local.inc with extra check in auth_validatelogin

     
    Attachments
  • loginform.ihtml that adds an uniqid hidden fiels

     
    Attachments
  • Logged In: YES
    user_id=163488

    my previous version of local.inc stored the used_formidsa in
    tha auth->auth persistent array.
    But once someone logged off, that would be cleared, thus
    again allowing going 'back' to the posted loginform

    This version stores the used_formids as a persistent session
    variable ($sess-Zregister("used_formids"), so oit should be
    there as long the sessions is tha same.

     
  • validatelogin registers and checks used_formids

     
    Attachments