On 11 Jul at 13:50 Clinton Gormley <[EMAIL PROTECTED] > wrote in message <[EMAIL PROTECTED]>
> On Wed, 2007-07-11 at 08:43 -0400, Scott Kaplan wrote: > > Situation: => User puts in username & password into a form (uses POST to > > send data) to log in. => When the user is done, he/she logs out. => When > > clicking back (a couple of time) the user eventually reaches the page > > prompting for username & password > > > > Problem: When the user hits refresh or forward, their magically logged > > in again. > > the data is kept client side, so you can't clear that. > > but you can: 1) set an immediate expiry time on the login page (which may > or may not work) 2) add a token to the login form, so that the old form > would no longer be valid > Try setting autocomplete="off" either in the form definition, or in the text input for the username/password. <input name="pass" type="password" value="" class="textbox" size="15" autocomplete="off" > -- Tony van der Hoff | mailto:[EMAIL PROTECTED] Buckinghamshire, England