[geeklog-devel] Redirect after login
tony at tonybibbs.com
Sat Nov 28 12:00:27 EST 2009
Regardless of how easy you can fake, the redirect logic should throw errors
if it isn't in the same domain. If you are extra paranoid then set a
security token ala CSRF.
On Sat, Nov 28, 2009 at 10:30 AM, Dirk Haun <dirk at haun-online.de> wrote:
> Tony Bibbs wrote:
> >When you get to login.php be sure to grab referrer and take the back.
> Hmm. We check the referrer only after the login has been confirmed. So
> at this point, it would refer to the login page, not to the page before
> that. So we could include the original referrer with the login data. How
> easily could that be faked?
> bye, Dirk
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
Phone: (515) 554-8046
Twitter, Skype, Facebook: tonybibbs
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the geeklog-devel