auto_redirect works for any redierct, even if not relative. So you send an email like
click here http://...../app/path and if http://...../app/path requires login, you get redirected to login but not back to http://...../app/path unless '/app/path' is in auto_redirect. Internally is still uses _next. Sometimes I think the need for auto_redirect is paranoid. Massimo On Sep 16, 12:31 pm, Anthony <[email protected]> wrote: > On Friday, September 16, 2011 12:57:07 PM UTC-4, Massimo Di Pierro wrote: > > > This is in general a security hazard so it needs to be enabled: > > > auth = Auth(db,auto_redirect=[URL(...),URL(...)]) > > > where URL(...) are the urls where it is safe to redirect to after > > login if originally requested. trunk only. > > Even without auto_redirect, isn't the original _next functionality still in > place? This change > (http://code.google.com/p/web2py/source/detail?r=ae2afc33d6d6afe7de9a2...) > improved the security by ensuring _next can only include relative URLs -- > isn't that sufficient to plug the security hole? How does auto_redirect > interact with the standard _next functionality? > > Anthony
