[geeklog-devel] Redirect after login

Christian Weiske cweiske at cweiske.de
Thu Nov 26 16:33:08 EST 2009


Hi Dirk,


> So I think we need to agree on a way to pass the target URL around
> during the login.
> 
> Suggestion: When linking to /users.php, add ?redirect=urlencode
> ($target_url) to the URL. Then we can change users.php to do the
> redirect after successful login.
> 
> Any problems with that? Other suggestions?

I do not know any of geeklog's behavior or code, but I'd like to
describe how Typo3's frontend login works:
When the user accesses a page that is access restricted, instead of
redirecting him to a login page, the login page is displayed /instead/
of the page content. That way the user stays on the original URL, even
after submitting the login form. The authentication mechanism
recognizes the login data being sent via $_POST and logs the user in -
or displays the login form again. When the user sent valid credentials,
the normal page content is shown.

This login system gets rid of any redirection neccessities.

If you cannot follow that approach, I suggest you pass the target URL
via POST because otherwise, CSRF attacks may be possible - by sending
out links that redirect to a malicious site after login.

-- 
Regards/Mit freundlichen Grüßen
Christian Weiske

-= Geeking around in the name of science since 1982 =-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20091126/dfe1ff8f/attachment.sig>


More information about the geeklog-devel mailing list