[undertow-dev] FormAuthentication -> handleRedirectback method
Anil Saldhana
Anil.Saldhana at redhat.com
Thu Dec 19 12:27:47 EST 2013
Thinking further, this may inhibit a case of cookie injection that hacks
the location url.
After form authentication, the server blindly redirects to the location
read from the cookie.
On 12/19/2013 11:24 AM, Anil Saldhana wrote:
> Also no path is being set on the cookie. If user is using more than one
> web app with FORM authentication
> on the same server, this may wreck havoc.
>
> On 12/19/2013 11:02 AM, Anil Saldhana wrote:
>> Stuart,
>> I am unsure it is right to use cookies to remember the form redirect
>> url. Traditionally, web containers (Tomcat and Jetty) have used http
>> session to remember the redirect url.
>>
>> If an user has turned off cookies, then it may not work.
>>
>> Regards,
>> Anil
>
More information about the undertow-dev
mailing list