Stuart, I am unsure it is right to use cookies to remember the form redirect url. Traditionally, web containers (Tomcat and Jetty) have used http session to remember the redirect url. If an user has turned off cookies, then it may not work. Regards, Anil

Thinking further, this may inhibit a case of cookie injection that hacks the location url. After form authentication, the server blindly redirects to the location read from the cookie. On 12/19/2013 11:24 AM, Anil Saldhana wrote: > >Also no path is being set on the cookie. If user is using more than one > >web app with FORM authentication > >on the same server, this may wreck havoc. > > > >On 12/19/2013 11:02 AM, Anil Saldhana wrote: >> >>Stuart, >> >> I am unsure it is right to use cookies to remember the form redirect >> >>url. Traditionally, web containers (Tomcat and Jetty) have used http >> >>session to remember the redirect url. >> >> >> >>If an user has turned off cookies, then it may not work. >> >> >> >>Regards, >> >>Anil > >

Scratch what I just said. FormAuthentication.java uses cookies while ServletFormAuthentication.java uses session. I think the reason is that the former has no facility for Servlet httpSession. On 12/19/2013 11:30 AM, Anil Saldhana wrote: > Probably not going to happen. Just use httpsession. :) > > On 12/19/2013 11:27 AM, Anil Saldhana wrote: >> Thinking further, this may inhibit a case of cookie injection that hacks >> the location url. >> After form authentication, the server blindly redirects to the location >> read from the cookie. >> >> On 12/19/2013 11:24 AM, Anil Saldhana wrote: >>>> Also no path is being set on the cookie. If user is using more than one >>>> web app with FORM authentication >>>> on the same server, this may wreck havoc. >>>> >>>> On 12/19/2013 11:02 AM, Anil Saldhana wrote: >>>>>> Stuart, >>>>>> I am unsure it is right to use cookies to remember the form redirect >>>>>> url. Traditionally, web containers (Tomcat and Jetty) have used http >>>>>> session to remember the redirect url. >>>>>> >>>>>> If an user has turned off cookies, then it may not work. >>>>>> >>>>>> Regards, >>>>>> Anil >>>> _______________________________________________ undertow-dev mailing list undertow-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/undertow-dev

----- Original Message ----- > From: "Anil Saldhana" <Anil.Saldhana(a)redhat.com&gt; > To: undertow-dev(a)lists.jboss.org > Sent: Thursday, 19 December, 2013 6:44:49 PM > Subject: Re: [undertow-dev] FormAuthentication -> handleRedirectback method > > Scratch what I just said. > > FormAuthentication.java uses cookies while > ServletFormAuthentication.java uses session. > > I think the reason is that the former has no facility for Servlet > httpSession. > I will change the non-servlet one to also use the session.

> On 12/19/2013 11:30 AM, Anil Saldhana wrote: >> Probably not going to happen. Just use httpsession. :) >> >> On 12/19/2013 11:27 AM, Anil Saldhana wrote: >>> Thinking further, this may inhibit a case of cookie injection that hacks >>> the location url. >>> After form authentication, the server blindly redirects to the location >>> read from the cookie. >>> >>> On 12/19/2013 11:24 AM, Anil Saldhana wrote: >>>>> Also no path is being set on the cookie. If user is using more than one >>>>> web app with FORM authentication >>>>> on the same server, this may wreck havoc. >>>>> >>>>> On 12/19/2013 11:02 AM, Anil Saldhana wrote: >>>>>>> Stuart, >>>>>>> I am unsure it is right to use cookies to remember the form >>>>>>> redirect >>>>>>> url. Traditionally, web containers (Tomcat and Jetty) have used http >>>>>>> session to remember the redirect url. >>>>>>> >>>>>>> If an user has turned off cookies, then it may not work. >>>>>>> >>>>>>> Regards, >>>>>>> Anil >>>>>