Hi Veikko,I usually pass a readily generated url. However, for apache to understand it, you need to pass it as a GET or POST param, this will not work:
http://example.com/foo/redirect/http://example.com/bar while this will http://example.com/foo/redirect/?target=http://example.com/barHowever, security is always an issue: Anyone can send a user to this url and have him redirected somewhere else. So you need to think about how to secure your url - you could pass a partial url only and prepend your hostname just before redirecting - this should prevent most attack scenarios. Or you could use a hash to make sure that the url has been generated by your app:
http://example.com/foo/redirect/?target=http://example.com/bar&hash=SOMEHASHwhere SOMEHASH is md5(targeturl + server-side secret). In your redirect action you just need to check that the hash is valid for the given url. However, that requires all urls to be generated on the server side as the secret cannot be passed to the client.
cheers felix On Feb 26, 2009, at 10:24 AM, Veikko Mäkinen wrote:
Hello all, I need "loopback links" i.e. links that trigger an action and then redirect back to the originator page. I have used session basedbreadcrumbs for this but now I'd like to figure out a better - and ajax ready - solution to this. Obviously simple session based breadcrumbs aregoing to break when I add asynchronous requests to the mix.So, I need a query parameter to tell where to redirect. Has anyone done this before? What did you pass as a parameter? Route name + params or aready generated URL? Should I encode or even encrypt it somehow?Security is not really an issue but can I break Apache with too many //in the URL or something? -veikko -- Veikko Mäkinen [email protected] 044 5910 413 http://blog.veikko.fi _______________________________________________ users mailing list [email protected] http://lists.agavi.org/mailman/listinfo/users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ users mailing list [email protected] http://lists.agavi.org/mailman/listinfo/users
