Apple

To be clear, I am destroying the session. I verified that the old session was destroyed and a new session had been created. I also verified that the browser was really resubmitting the user name and password to the login page.

-tom

On Jul 13, 2006, at 6:19 AM, email@hidden wrote:

From: Dev WO <email@hidden>

Date: July 13, 2006 5:02:17 AM EDT

To: Cliff Tuel <email@hidden>

Cc: webobjects-dev <email@hidden>

Subject: Re: login security issue

I don't mean to be bad;)

but autocomplete isn't part of (X)HTML, so using it will make your page "not valid". Which may not be an issue for you but it prevent you from:

-having a page accessible for people with disabilities (Double-A and Triple-A require a valid page)

It may also be an issue depending on the laws in your area, for example in Europe, all public related website has to be Simple-A (so you can "afford" not te be valid) but should target Double-A (which require a valid page).

All this standard stuff aside, I'm not sure Thomas is having issue with caching or autocomplete.

I think you're not destroying the session when the user logout.

Just make sure the session is terminated in your code.

Xavier