Hi all The situation 1. The user logs in and the cookie is set. 2. The user requests a page with a form and submit button 3. The page contains a request to a python script 4. The python script adds data to a SQL table 5. User is redirected to a "thanks" page. The address bar refers to the script (not the "thanks" page) 6. The user logs out (The cookie should expire here) 7. The user clicks on "back" button to come back to "thanks" page. 8. The user reloads. At this stage another entry is made in the SQL table. I want to put an end to this behaviour of the site. The user should not be able to insert data by just reload. My question is: Can cookies be of any use here. The problem is that unless the user closes the browser this is not unset. The user is not able to see other pages but can activate the script !! TIA Chetan
Dieter Maurer wrote:
Chetan Kumar writes:
... 6. The user logs out (The cookie should expire here) You know the "expireCookie" method of the response object?
Yes. I have used this. However, the problem is elsewhere. The users can just click "reload" and the python scripts performs its action !! I can stop the python script from behaving in this manner in a more explicit way, but I would expect that once the cookie is expired the users should not be able to do anything without login. Regards, Chetan
Chetan Kumar wrote:
Dieter Maurer wrote:
Chetan Kumar writes:
... 6. The user logs out (The cookie should expire here) You know the "expireCookie" method of the response object?
Yes. I have used this. However, the problem is elsewhere. The users can just click "reload" and the python scripts performs its action !! I can stop the python script from behaving in this manner in a more explicit way, but I would expect that once the cookie is expired the users should not be able to do anything without login. Regards, Chetan
Then please use something like shane's tcpwatch (->google) to monitor the communication between browser and zope. Maybe the old cookie is resent when pressing back? cheers, oliver
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Do you know for sure that the cookie expires? And if so, does the page check for the cookie to be valid (unexpired?) in order to perform its action? Russell On Tuesday 03 September 2002 01:56 am, you wrote:
Dieter Maurer wrote:
Chetan Kumar writes:
... 6. The user logs out (The cookie should expire here)
You know the "expireCookie" method of the response object?
Yes. I have used this. However, the problem is elsewhere. The users can just click "reload" and the python scripts performs its action !! I can stop the python script from behaving in this manner in a more explicit way, but I would expect that once the cookie is expired the users should not be able to do anything without login. Regards, Chetan
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
- -- Linux -- the OS for the Renaissance Man -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9dKIcAqKGrvVshJQRAjUwAKDzP5WdxSSMbfEOrggeACSxJ9yEUgCfYIvf F0SCa++wASibOgEiQDS6/n8= =hiKI -----END PGP SIGNATURE-----
Chetan Kumar writes:
Dieter Maurer wrote:
Chetan Kumar writes:
... 6. The user logs out (The cookie should expire here) You know the "expireCookie" method of the response object?
Yes. I have used this. However, the problem is elsewhere. The users can just click "reload" and the python scripts performs its action !! I can stop the python script from behaving in this manner in a more explicit way, but I would expect that once the cookie is expired the users should not be able to do anything without login. I see two potential reasons:
* You are using the "expireCookie" in a wrong way: The "path" parameter must be specified in the same way as for the respective "setCookie". Note, that "path" is automatically determined by the browser, if you do not specify "path" explicitely. Please read the Cookie specification, for details. * Your permission to role mapping is inadequate: Calling a Python Script is protected by the "View" permission. By default, "View" is granted to "Anonymous". If you do not like that, change the permission to role mapping Read the security chapter in the Zope book, for details. Dieter
participants (4)
-
Chetan Kumar -
Dieter Maurer -
Oliver Bleutgen -
Russell Hires