On Wed, 2007-07-11 at 08:43 -0400, Scott Kaplan wrote: > Situation: > => User puts in username & password into a form (uses POST to send > data) to log in. > => When the user is done, he/she logs out. > => When clicking back (a couple of time) the user eventually reaches > the page prompting for username & password > > Problem: When the user hits refresh or forward, their magically logged in > again.
the data is kept client side, so you can't clear that. but you can: 1) set an immediate expiry time on the login page (which may or may not work) 2) add a token to the login form, so that the old form would no longer be valid Clint
