Closed JVT038 closed 11 months ago
BTW, currently the redirection target URL encoded and stored in the GET parameters.
So it's like localhost/login?redirect={target url}
.
In theory, anyone could just manually edit the target URL in the get parameter and be redirected to whatever they want. Is this dangerous, or should we check if the target url exists and stuff?
BTW, currently the redirection target URL encoded and stored in the GET parameters. So it's like
localhost/login?redirect={target url}
.In theory, anyone could just manually edit the target URL in the get parameter and be redirected to whatever they want. Is this dangerous, or should we check if the target url exists and stuff?
we should make sure to only allow relative urls, I think than we are fine
This PR automatically redirect user to the login page if they're not authenticated with a warning that they have to login before viewing the page.
Besides that, the user will be redirected back to the page they attempted to view if they log in.