Re: [undertow-dev] FormAuthentication -> handleRedirectback method
Scratch what I just said.
FormAuthentication.java uses cookies while
ServletFormAuthentication.java uses session.
I think the reason is that the former has no facility for Servlet
httpSession.
On 12/19/2013 11:30 AM, Anil Saldhana wrote:
Probably not going to happen. Just use httpsession. :)
On 12/19/2013 11:27 AM, Anil Saldhana wrote:
> Thinking further, this may inhibit a case of cookie injection that hacks
> the location url.
> After form authentication, the server blindly redirects to the location
> read from the cookie.
>
> On 12/19/2013 11:24 AM, Anil Saldhana wrote:
>>> Also no path is being set on the cookie. If user is using more than one
>>> web app with FORM authentication
>>> on the same server, this may wreck havoc.
>>>
>>> On 12/19/2013 11:02 AM, Anil Saldhana wrote:
>>>>> Stuart,
>>>>> I am unsure it is right to use cookies to remember the form
redirect
>>>>> url. Traditionally, web containers (Tomcat and Jetty) have used
http
>>>>> session to remember the redirect url.
>>>>>
>>>>> If an user has turned off cookies, then it may not work.
>>>>>
>>>>> Regards,
>>>>> Anil
>>>