[Neomail-users] Neomail security
Brought to you by:
neorants
From: <la...@te...> - 2004-11-29 16:19:06
|
In neomail th logout is not a real logout. Try to login in neomail, and then make logout. You are sent to the login = screen, but if you puch back button on explorer you'll get the message = of page expired, then you update the page and you are inside neomail = again, but you have not write yout login pass again!!!. So, if anybody logout from neomail and leave the computer on (with the = explorer open), another person could enter in his neomail account using = the pages stored in history of browser.=20 I think neomail would have to accept the login from a refreshed expired = page. The only way I've found is add a "time mark" in the login form and = compare this time mark with a time mark calculated in the moment of = login, if the difference is a few seconds the login is processed, but if = the difference is too high the login is not processed. But there is a = problem, if the user delays too time writing his login data the login is = rejected too. Regards |