[Zope-CMF] Re: CPSSecurityPolicy - logging out.
Tres Seaver
tseaver at zope.com
Thu Jan 13 07:57:28 EST 2005
Jean-Marc Orliaguet wrote:
>
> Hi!
>
> I saw the CPSSecurityPolicy product in the nuxeo cvs that strengthens
> security (policies, etc). There is one security aspect that it could
> handle too, namely that it is possible by going back in the history to
> login again after having logged out (having cleared ZopeId / __ac) by
> answering "YES" to the question:
>
> """The page that you are trying to see contains POSTDATA. If you resend
> the data, any action in the form carried out ... will be repeated. To
> resend the data, click OK otherwise click Cancel."""
>
> on the "logged_in" page.
>
> Which means that login out has no practical effect unless one has closed
> the browser and cleared all form data.
>
> The same occurs with CMFDefault, maybe it should be fixed there?
How would you distinguish resubmission of the form from the initial
submission?
Tres.
--
===============================================================
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
More information about the Zope-CMF
mailing list