[undertow-dev] FormAuthentication -> handleRedirectback method
Stuart Douglas
sdouglas at redhat.com
Fri Dec 20 05:36:21 EST 2013
----- Original Message -----
> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
> To: undertow-dev at lists.jboss.org
> Sent: Thursday, 19 December, 2013 6:44:49 PM
> Subject: Re: [undertow-dev] FormAuthentication -> handleRedirectback method
>
> Scratch what I just said.
>
> FormAuthentication.java uses cookies while
> ServletFormAuthentication.java uses session.
>
> I think the reason is that the former has no facility for Servlet
> httpSession.
>
I will change the non-servlet one to also use the session.
Stuart
> On 12/19/2013 11:30 AM, Anil Saldhana wrote:
> > Probably not going to happen. Just use httpsession. :)
> >
> > On 12/19/2013 11:27 AM, Anil Saldhana wrote:
> >> Thinking further, this may inhibit a case of cookie injection that hacks
> >> the location url.
> >> After form authentication, the server blindly redirects to the location
> >> read from the cookie.
> >>
> >> On 12/19/2013 11:24 AM, Anil Saldhana wrote:
> >>>> Also no path is being set on the cookie. If user is using more than one
> >>>> web app with FORM authentication
> >>>> on the same server, this may wreck havoc.
> >>>>
> >>>> On 12/19/2013 11:02 AM, Anil Saldhana wrote:
> >>>>>> Stuart,
> >>>>>> I am unsure it is right to use cookies to remember the form
> >>>>>> redirect
> >>>>>> url. Traditionally, web containers (Tomcat and Jetty) have used http
> >>>>>> session to remember the redirect url.
> >>>>>>
> >>>>>> If an user has turned off cookies, then it may not work.
> >>>>>>
> >>>>>> Regards,
> >>>>>> Anil
> >>>>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
More information about the undertow-dev
mailing list