Details
-
Improvement
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Fixed
-
3.0.8
-
None
Description
I noticed on the phpBB.com forum that I could log out, and if I hit the back button in Safari a few times, I could replay my original login by POSTing the form again.
I think that some sort of one-time use token, like a nonce, should be used to guard against this sort of thing. It would require the login form to be reloaded every time, meaning that someone using a browser button to go back and POST again would get an error, even if the username and password submitted were correct.
Or, the form token system, with a short expiry time, such as 3-5 minutes, would also work OK. Just something that prevents a token from being used twice after a period of time.