On 11 Jul at 13:50 Clinton Gormley <[EMAIL PROTECTED] > wrote in message
<[EMAIL PROTECTED]>
> On Wed, 2007-07-11 at 08:43 -0400, Scott Kaplan wrote:
> > Situation: => User puts in username & password into a form (uses POST to
> > send data) to log in. => When the user is done, he/she logs out. => When
> > clicking back (a couple of time) the user eventually reaches the page
> > prompting for username & password
> >
> > Problem: When the user hits refresh or forward, their magically logged
> > in again.
>
> the data is kept client side, so you can't clear that.
>
> but you can: 1) set an immediate expiry time on the login page (which may
> or may not work) 2) add a token to the login form, so that the old form
> would no longer be valid
>
Try setting autocomplete="off" either in the form definition, or in the text
input for the username/password.
<input name="pass"
type="password"
value=""
class="textbox"
size="15"
autocomplete="off"
>
--
Tony van der Hoff | mailto:[EMAIL PROTECTED]
Buckinghamshire, England
