From: Geoffrey T. <gta...@na...> - 2003-01-13 15:57:20
|
Randall Randall [mailto:ra...@ra...] wrote: > > I have never understood where session.value('loginid') is being set, > > why it is being deleted if it exists, why the incoming id must match > > the old value, and what is the benefit of doing request.delField(...). > > loginid is set in login.py, another Example page. The answers to the > others aren't clear to me, except that perhaps it is supposed to be a > defense against replay attacks. That's the idea. In other words, if you use the browser's "back" button after logging out to go back to the login page, then you hit the "forward" button to re-post the login, it won't work the second time. That's why we put in the one-time loginid and make sure to get rid of it right away. - Geoff |