Forum Discussion
1 Reply
Sort By
- Chris_GrantEmployee
The point of the redirection is that the user's browser caches the token (which expires) rather than the username and password. So if an attacker tries to reauthenticate by refreshing the browser the browser sends the token, not the username and password, resulting in a failed login. The login page itself should not be coded to cache the username and password, so navigating back to the first page should present a blank login, not a login page prefilled and ready to resubmit.