[undertow-dev] FormAuthentication -> handleRedirectback method
Jason Greene
jason.greene at redhat.com
Thu Dec 19 13:02:07 EST 2013
Can you even use the web these days without cookies :)
On Dec 19, 2013, at 11:44 AM, Anil Saldhana <Anil.Saldhana at redhat.com> wrote:
> Scratch what I just said.
>
> FormAuthentication.java uses cookies while
> ServletFormAuthentication.java uses session.
>
> I think the reason is that the former has no facility for Servlet
> httpSession.
>
> On 12/19/2013 11:30 AM, Anil Saldhana wrote:
>> Probably not going to happen. Just use httpsession. :)
>>
>> On 12/19/2013 11:27 AM, Anil Saldhana wrote:
>>> Thinking further, this may inhibit a case of cookie injection that hacks
>>> the location url.
>>> After form authentication, the server blindly redirects to the location
>>> read from the cookie.
>>>
>>> On 12/19/2013 11:24 AM, Anil Saldhana wrote:
>>>>> Also no path is being set on the cookie. If user is using more than one
>>>>> web app with FORM authentication
>>>>> on the same server, this may wreck havoc.
>>>>>
>>>>> On 12/19/2013 11:02 AM, Anil Saldhana wrote:
>>>>>>> Stuart,
>>>>>>> I am unsure it is right to use cookies to remember the form redirect
>>>>>>> url. Traditionally, web containers (Tomcat and Jetty) have used http
>>>>>>> session to remember the redirect url.
>>>>>>>
>>>>>>> If an user has turned off cookies, then it may not work.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Anil
>>>>>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
--
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat
More information about the undertow-dev
mailing list