[undertow-dev] FormAuthentication -> handleRedirectback method
Anil Saldhana
Anil.Saldhana at redhat.com
Thu Dec 19 12:30:41 EST 2013
Probably not going to happen. Just use httpsession. :)
On 12/19/2013 11:27 AM, Anil Saldhana wrote:
> Thinking further, this may inhibit a case of cookie injection that hacks
> the location url.
> After form authentication, the server blindly redirects to the location
> read from the cookie.
>
> On 12/19/2013 11:24 AM, Anil Saldhana wrote:
>> >Also no path is being set on the cookie. If user is using more than one
>> >web app with FORM authentication
>> >on the same server, this may wreck havoc.
>> >
>> >On 12/19/2013 11:02 AM, Anil Saldhana wrote:
>>> >>Stuart,
>>> >> I am unsure it is right to use cookies to remember the form redirect
>>> >>url. Traditionally, web containers (Tomcat and Jetty) have used http
>>> >>session to remember the redirect url.
>>> >>
>>> >>If an user has turned off cookies, then it may not work.
>>> >>
>>> >>Regards,
>>> >>Anil
>> >
More information about the undertow-dev
mailing list