Re: [undertow-dev] FormAuthentication -> handleRedirectback method
Thinking further, this may inhibit a case of cookie injection that hacks
the location url.
After form authentication, the server blindly redirects to the location
read from the cookie.
On 12/19/2013 11:24 AM, Anil Saldhana wrote:
Also no path is being set on the cookie. If user is using more than
one
web app with FORM authentication
on the same server, this may wreck havoc.
On 12/19/2013 11:02 AM, Anil Saldhana wrote:
> Stuart,
> I am unsure it is right to use cookies to remember the form redirect
> url. Traditionally, web containers (Tomcat and Jetty) have used http
> session to remember the redirect url.
>
> If an user has turned off cookies, then it may not work.
>
> Regards,
> Anil