[geeklog-devel] Redirect after login

Tony Bibbs tony at tonybibbs.com
Sat Nov 28 12:00:27 EST 2009


Regardless of how easy you can fake, the redirect logic should throw errors
if it isn't in the same domain.  If you are extra paranoid then set a
security token ala CSRF.

On Sat, Nov 28, 2009 at 10:30 AM, Dirk Haun <dirk at haun-online.de> wrote:

> Tony Bibbs wrote:
>
> >When you get to login.php be sure to grab referrer and take the back.
>
> Hmm. We check the referrer only after the login has been confirmed. So
> at this point, it would refer to the login page, not to the page before
> that. So we could include the original referrer with the login data. How
> easily could that be faked?
>
> bye, Dirk
>
>
> --
> http://www.haun-online.de/
> http://spam.tinyweb.net/
>
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://eight.pairlist.net/mailman/listinfo/geeklog-devel
>



-- 
Tony Bibbs
Phone: (515) 554-8046
Twitter, Skype, Facebook: tonybibbs
Web: http://www.tonybibbs.com
        http://www.apteno.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20091128/bdb9b0b6/attachment.html>


More information about the geeklog-devel mailing list