On Sep 16, 2011, at 11:13 AM, Massimo Di Pierro wrote: > auto_redirect works for any redierct, even if not relative. > So you send an email like > > click here > http://...../app/path > > and if http://...../app/path requires login, you get redirected to > login but not back to http://...../app/path unless '/app/path' is in > auto_redirect. > Internally is still uses _next. > > Sometimes I think the need for auto_redirect is paranoid.
What's the hazard? Presumably there's nothing to stop the user from going to the same URL after a successful login, so why not automatically? > > Massimo > > On Sep 16, 12:31 pm, Anthony <[email protected]> wrote: >> On Friday, September 16, 2011 12:57:07 PM UTC-4, Massimo Di Pierro wrote: >> >>> This is in general a security hazard so it needs to be enabled: >> >>> auth = Auth(db,auto_redirect=[URL(...),URL(...)]) >> >>> where URL(...) are the urls where it is safe to redirect to after >>> login if originally requested. trunk only. >> >> Even without auto_redirect, isn't the original _next functionality still in >> place? This change >> (http://code.google.com/p/web2py/source/detail?r=ae2afc33d6d6afe7de9a2...) >> improved the security by ensuring _next can only include relative URLs -- >> isn't that sufficient to plug the security hole? How does auto_redirect >> interact with the standard _next functionality? >> >> Anthony
