From: Geoffrey T. <GTalvola@Parlancecorp.com> - 2006-01-13 15:13:44
|
Christoph Zwerschke wrote: > If I understand correctly, the login id is used to ensure nobody can > circumvent the login page (e.h. by providing user and password > directly > as parameters in the URL). So I left the login id mechanism in the > code, but changed it so that no new login id is created if there is > already > one in the current session. I have checked that in already. The > Example > and Admin pages are not really important, but intended to give people > an idea how things should be done; so they should do it correctly. I think the original reason for loginid was: suppose someone logs in, then leaves their browser open for a while. Their session expires. Now suppose someone else comes up to the browser, uses the Back button to go back to the login screen, and then presses Forward to re-post the username and password. The loginid is supposed to prevent this from working. (I'm not sure if any modern browsers will re-post a password like that, but I'm thinking that maybe an old browser like Netscape 4 or an older IE might have been vulnerable to this sort of thing.) As long as your newly modified code deletes the loginid as soon as it is used for a login, then it's fine. - Geoff |
From: Geoffrey T. <GTalvola@Parlancecorp.com> - 2006-01-13 17:32:41
|
Christoph Zwerschke wrote: > Geoffrey Talvola wrote: >> I think the original reason for loginid was: suppose someone logs >> in, then leaves their browser open for a while. Their session >> expires. Now suppose someone else comes up to the browser, uses the >> Back button to go back to the login screen, and then presses Forward >> to re-post the username and password. The loginid is supposed to >> prevent this from working. A common scenario where things can get posted more than once is if the user uses the Back button to go back to a page that was a result of a post, and then presses the Refresh button. The browser will put up a popup offering to re-post the variables. If you don't want that to happen, you can have the servlet that handles the post do a redirect. This seems to prevent the browser from ever re-posting the form -- instead, pressing the Refresh button will re-get the page that was redirected to. > Ok. There are other scenarios as well where you want things to happen > only one time (for instance, database transactions). I wonder whether > Webware could provide some methods to do this transparently so you > don't have to invent and code this kind of things again and again. Seems like a good idea. - Geoff |
From: Christoph Z. <ci...@on...> - 2006-01-13 17:00:55
|
Geoffrey Talvola wrote: > I think the original reason for loginid was: suppose someone logs in, then > leaves their browser open for a while. Their session expires. Now suppose > someone else comes up to the browser, uses the Back button to go back to the > login screen, and then presses Forward to re-post the username and password. > The loginid is supposed to prevent this from working. Ok. There are other scenarios as well where you want things to happen only one time (for instance, database transactions). I wonder whether Webware could provide some methods to do this transparently so you don't have to invent and code this kind of things again and again. > As long as your newly modified code deletes the loginid as soon as it is > used for a login, then it's fine. Yes. The code still immediately clears the whole session after reading the login id. You can use it only one time. -- Christoph |