[undertow-dev] FormAuthentication -> handleRedirectback method
Anil Saldhana
Anil.Saldhana at redhat.com
Thu Dec 19 12:44:49 EST 2013
Scratch what I just said.
FormAuthentication.java uses cookies while
ServletFormAuthentication.java uses session.
I think the reason is that the former has no facility for Servlet
httpSession.
On 12/19/2013 11:30 AM, Anil Saldhana wrote:
> Probably not going to happen. Just use httpsession. :)
>
> On 12/19/2013 11:27 AM, Anil Saldhana wrote:
>> Thinking further, this may inhibit a case of cookie injection that hacks
>> the location url.
>> After form authentication, the server blindly redirects to the location
>> read from the cookie.
>>
>> On 12/19/2013 11:24 AM, Anil Saldhana wrote:
>>>> Also no path is being set on the cookie. If user is using more than one
>>>> web app with FORM authentication
>>>> on the same server, this may wreck havoc.
>>>>
>>>> On 12/19/2013 11:02 AM, Anil Saldhana wrote:
>>>>>> Stuart,
>>>>>> I am unsure it is right to use cookies to remember the form redirect
>>>>>> url. Traditionally, web containers (Tomcat and Jetty) have used http
>>>>>> session to remember the redirect url.
>>>>>>
>>>>>> If an user has turned off cookies, then it may not work.
>>>>>>
>>>>>> Regards,
>>>>>> Anil
>>>>
More information about the undertow-dev
mailing list