Re: [undertow-dev] FormAuthentication -> handleRedirectback method

Scratch what I just said. FormAuthentication.java uses cookies while ServletFormAuthentication.java uses session. I think the reason is that the former has no facility for Servlet httpSession. On 12/19/2013 11:30 AM, Anil Saldhana wrote: > Probably not going to happen. Just use httpsession. :) > > On 12/19/2013 11:27 AM, Anil Saldhana wrote: >> Thinking further, this may inhibit a case of cookie injection that hacks >> the location url. >> After form authentication, the server blindly redirects to the location >> read from the cookie. >> >> On 12/19/2013 11:24 AM, Anil Saldhana wrote: >>>> Also no path is being set on the cookie. If user is using more than one >>>> web app with FORM authentication >>>> on the same server, this may wreck havoc. >>>> >>>> On 12/19/2013 11:02 AM, Anil Saldhana wrote: >>>>>> Stuart, >>>>>> I am unsure it is right to use cookies to remember the form redirect >>>>>> url. Traditionally, web containers (Tomcat and Jetty) have used http >>>>>> session to remember the redirect url. >>>>>> >>>>>> If an user has turned off cookies, then it may not work. >>>>>> >>>>>> Regards, >>>>>> Anil >>>> _______________________________________________ undertow-dev mailing list undertow-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/undertow-dev