[geeklog-devel] Redirect after login

[Vincent Furia]

Instead of using a full path, just use a relative path name. index.php
instead of http://www.geeklog.net/index.php. If someone tries to pass
another web page they'd just wind up with a 404 from
http://www.geeklog.net/http://www.hacker.com.

The problem with using the referrer (by itself) to the login page is someone
could send them there from an external page. If you go that route,
definitely check that the referrer is in the same domain.

-Vinny

On Sat, Nov 28, 2009 at 10:55 AM, Joe Mucchiello <joe at throwingdice.com>wrote:

> At 11:30 AM 11/28/2009, Dirk Haun wrote:
>
>> Tony Bibbs wrote:
>>
>> >When you get to login.php be sure to grab referrer and take the back.
>>
>> Hmm. We check the referrer only after the login has been confirmed. So
>> at this point, it would refer to the login page, not to the page before
>> that. So we could include the original referrer with the login data. How
>> easily could that be faked?
>>
>
> In the database, no one at all. There is a Geeklog session in the cookies
> that is destroyed during login. But before it is destroyed the database
> record referenced by the cookie could store the original referrer. No need
> for extra post parameters that can be faked. No need to deal with $_SESSION.
> Just wrap the "display login" in a function and it handles getting the
> return URL into the session record.
>
>
>
> ----
> Joe Mucchiello
> Throwing Dice Games
> http://www.throwingdice.com
>
>
> No virus found in this outgoing message
> Checked by PC Tools AntiVirus (6.0.0.19 - 10.004.116).
> http://www.pctools.com/free-antivirus/
>
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://eight.pairlist.net/mailman/listinfo/geeklog-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20091128/c4ce4db1/attachment.html>