[geeklog-devel] Redirect after login
Dirk Haun
dirk at haun-online.de
Thu Nov 26 16:53:41 EST 2009
Christian Weiske wrote:
>When the user accesses a page that is access restricted, instead of
>redirecting him to a login page, the login page is displayed /instead/
>of the page content.
That sounds like a good idea. In Geeklog, the login restriction is
enforced by the plugin, so we would need to provide some function for
that (which would then also take care of all the various login options).
Btw, forgot to mention that the site in question does not have the usual
login form in the left blocks.
>If you cannot follow that approach, I suggest you pass the target URL
>via POST because otherwise, CSRF attacks may be possible - by sending
>out links that redirect to a malicious site after login.
Right. Just before your email came in, I was thinking "oops, we need to
check that the redirect URL starts with the site's URL". And with a URL
for the links plugin, you could then still send the user to some other
site. So the more I think about it, passing the actual redirect URL is
beginning to sound like a bad idea ...
bye, Dirk
--
http://www.haun-online.de/
http://spam.tinyweb.net/
More information about the geeklog-devel
mailing list