[Seaside] Re: Logging out from a webpage

Philippe Marschall philippe.marschall at gmail.com
Wed Aug 1 08:00:59 UTC 2007 

2007/7/31, Klaus D. Witzel <klaus.witzel at cobss.com>:
> Hi Philippe,
>
> on Tue, 31 Jul 2007 07:02:47 +0200, you wrote:
>
> > 2007/7/30, Klaus D. Witzel <klaus.witzel at cobss.com>:
> >> On Mon, 30 Jul 2007 22:18:57 +0200, Michael Gorsuch wrote:
> >>
> >> > On Mon, Jul 30, 2007 at 04:12:30PM -0400, Richard Eng wrote:
> >> >> If I ?logout? from a webpage, which takes me to a new webpage, how
> >> do I
> >> >> ?invalidate? the previous page or otherwise prevent the user from
> >> >> revisiting
> >> >> it (either through the back button or using history)?
> >> >
> >> > I would look at WATask's 'isolate' method.  This expires previous
> >> pages.
> >>
> >> It's also possible to tell the browset to rewrite history, see
> >>
> >> - http://www.google.com/search?q=javascript+location.replace+history
> >>
> >> for examples. I use that to invalidate the previous page when it can be
> >> done from a click on a hyperlink.
> >
> > How very uncool ;) How very low-level
>
> This is all that Seaside can do: send cryptic messages to a browser at the
> lowest-level it understands and then hope that is looks cool and works
> cool :)
>
> If Seaside can do more to the browser then please tell me.

Seaside do does not send cryptic messages. It does not use unreliable,
obtrusive JavaScript trickery. Seaside uses http to tell the browser
that the page doesn't exist anymore and the should go look somewhere
else.

> I'm *not* talking about putting Smalltalk code into methods and classes
> and, once they work make them available for use and reuse in a component
> framework, since this is taken for granted.
>
> > and unreliable. We use #isolate:
> > and #expire for this.
>
> I'm keen to see what that tells the browser to do, i.e. how pages are
> expired which are already in its cache "history" and at the time of
> arrival had no expire-at-logout-time set because logout time is not known
> in advance.
>
> Test case: send pages to which the user can return with #back, then
> #logout and take the browser offline (which is the same as being connect
> to a so called reliable network). Now demonstrate that the pages cannot be
> accessed any longer, in this case not from the browser's cache "history".

You can always return with the back button if you enable caching and
disable JS. This is how the web works and we have to deal with it. But
no actions will get executed if you click somewhere and you will be
informed, that this page has expired.

> This should take an experienced Seaside developer ca. 1 1/2 minutes.

See attachment. The sensitive, private information is a counter. Also
note the difference between expiring just some "pages" with #isolate:
and the whole session.

Cheers
Philippe

> /Klaus
>
> > Cheers
> > Philippe
>
>
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: LogoutDemo-pmm.1.mcz
Type: application/octet-stream
Size: 1626 bytes
Desc: not available
Url : http://lists.squeakfoundation.org/pipermail/seaside/attachments/20070801/2134ce6c/LogoutDemo-pmm.1.obj

More information about the Seaside mailing list