[Zope-CMF] Re: CPSSecurityPolicy - logging out.
Jean-Marc Orliaguet
jmo at ita.chalmers.se
Thu Jan 13 09:46:48 EST 2005
Tres Seaver wrote:
> Jean-Marc Orliaguet wrote:
>
>>
>> Hi!
>>
>> I saw the CPSSecurityPolicy product in the nuxeo cvs that strengthens
>> security (policies, etc). There is one security aspect that it could
>> handle too, namely that it is possible by going back in the history
>> to login again after having logged out (having cleared ZopeId /
>> __ac) by answering "YES" to the question:
>>
>> """The page that you are trying to see contains POSTDATA. If you
>> resend the data, any action in the form carried out ... will be
>> repeated. To resend the data, click OK otherwise click Cancel."""
>>
>> on the "logged_in" page.
>>
>> Which means that login out has no practical effect unless one has
>> closed the browser and cleared all form data.
>>
>> The same occurs with CMFDefault, maybe it should be fixed there?
>
>
> How would you distinguish resubmission of the form from the initial
> submission?
>
> Tres.
Hi,
It is enough to do a redirect from 'logged_in' to another page then the
form information will apparently get lost.
Plone does a redirection from logged_in.py to login_success.pt for instance.
regards /JM
More information about the Zope-CMF
mailing list