[Zope-CMF] CPSSecurityPolicy - logging out.
Jean-Marc Orliaguet
jmo at ita.chalmers.se
Thu Jan 13 06:12:09 EST 2005
Hi!
I saw the CPSSecurityPolicy product in the nuxeo cvs that strengthens
security (policies, etc). There is one security aspect that it could
handle too, namely that it is possible by going back in the history to
login again after having logged out (having cleared ZopeId / __ac) by
answering "YES" to the question:
"""The page that you are trying to see contains POSTDATA. If you resend
the data, any action in the form carried out ... will be repeated. To
resend the data, click OK otherwise click Cancel."""
on the "logged_in" page.
Which means that login out has no practical effect unless one has closed
the browser and cleared all form data.
The same occurs with CMFDefault, maybe it should be fixed there?
/JM
More information about the Zope-CMF
mailing list