[web2py] Re: How to redirect user to original url he asked after login

Fri, 16 Sep 2011 13:56:28 -0700 

It is not handle adequately if the app uses an external
authentication. perhaps there is a better solution... let me think
about this some more.

Basically the issue is this code in web2py/gluon/tools.py

        if auto_redirect and URL() in auto_redirect:
            if not self.user:
                if not session._auth_next:
                    session._auth_next = URL(args=request.args,
                                             vars=request.get_vars)
        if auto_redirect and not URL() in auto_redirect and \
                self.user and session._auth_next:
            next = session._auth_next
            session._auth_next = None
            redirect(next)



should it just be?

        if not self.user:
                if not session._auth_next:
                    session._auth_next = URL(args=request.args,
                                             vars=request.get_vars)
        if self.user and session._auth_next and not self.user and
session._auth_next.startswith(URL()):
            next = session._auth_next
            session._auth_next = None
            redirect(next)

and get rid of auto_redirect?



On Sep 16, 3:27 pm, Anthony <[email protected]> wrote:
> On Friday, September 16, 2011 3:00:59 PM UTC-4, Jonathan Lundell wrote:
>
> > On Friday, September 16, 2011 2:21:07 PM UTC-4, Jonathan Lundell wrote:
>
> > > Sometimes I think the need for auto_redirect is paranoid.
>
> >> What's the hazard? Presumably there's nothing to stop the user from going
> >> to the same URL after a successful login, so why not automatically?
>
> > This:https://groups.google.com/d/topic/web2py/dU7018Acz9s/discussion
>
> > But the auto_redirect list doesn't protect against that.
>
> > As I read the code, auto-redirect after login (in the sense of going back
> > to the target URL) a) only uses the output of URL(), with no domain (so no
> > phishing), and b) stores its redirection in session.
>
> > I didn't look too closely at the _next= logic, but it doesn't appear to
> > care about the auto_redirect list. If those URLs need to be checked,
> > wouldn't it be adequate to require that they're relative URLs (in the sense
> > of not including a domain)?
>
> Right, I thought you were asking about the general need to restrict what is
> allowed in _next. I'm also confused about auto_redirect -- looks like it is
> still limited to URLs internal to the app, which should be handled
> adequately by the new _next logic that allows only relative URLs.
>
> Anthony

Reply via email to