[Zope-CMF] Re: CPSSecurityPolicy - logging out.
Tres Seaver
tseaver at zope.com
Thu Jan 13 10:12:20 EST 2005
Jean-Marc Orliaguet wrote:
> Tres Seaver wrote:
>
>> Jean-Marc Orliaguet wrote:
>>
>>> I saw the CPSSecurityPolicy product in the nuxeo cvs that strengthens
>>> security (policies, etc). There is one security aspect that it could
>>> handle too, namely that it is possible by going back in the history
>>> to login again after having logged out (having cleared ZopeId /
>>> __ac) by answering "YES" to the question:
>>>
>>> """The page that you are trying to see contains POSTDATA. If you
>>> resend the data, any action in the form carried out ... will be
>>> repeated. To resend the data, click OK otherwise click Cancel."""
>>>
>>> on the "logged_in" page.
>>>
>>> Which means that login out has no practical effect unless one has
>>> closed the browser and cleared all form data.
>>>
>>> The same occurs with CMFDefault, maybe it should be fixed there?
>>
>> How would you distinguish resubmission of the form from the initial
>> submission?
>>
> It is enough to do a redirect from 'logged_in' to another page then the
> form information will apparently get lost.
>
> Plone does a redirection from logged_in.py to login_success.pt for
> instance.
+1 for that, then. Thanks for pointing out the issue!
Tres.
--
===============================================================
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
More information about the Zope-CMF
mailing list