-
-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implementing POST in login, redirecting to previous page with NEXT parameter #308
Comments
Any updates? Will POST be implemented? GET is not secure enough. 🙂 |
Hi @simon-spier0, would you be interested in opening a PR with the solution? We'd need to do the get restriction via deprecation most likely. |
Hi, |
I'm sorry @simon-spier0, I did not understand this issue well from the start. I'm not a fan of this change. The only thing that's being protected is the value of |
I'm also not sure what the security vulnerability it could possibly be, because we have According to the docs, there is a concern around query parameters for sensitive information, but this isn't confidential information. |
I understand that the However, I see your point. Would it make sense to support both GET and POST methods? Having the option to use POST could be useful for securely sending the Would it be acceptable to keep the new POST method in the code without deprecating the GET method? This way, both options would be available for developers. 🙂 |
Thanks for the clarification and for the PR you've opened 😊 |
I'm fine with adding support for Any concern comes around specifying the data (right now it's just the redirect path) and potentially having to support checking |
Thank you both for your feedback! I've updated the pull request based on our discussion:
Let me know if there’s anything else you’d like to see changed. 😉 |
Is there a plan to merge this? 🙂 |
I apologize @simon-spier0. I've had a lot on my plate and this project tends to get de-prioritized when that happens. I appreciate your work and thank you for bringing this up again. |
To allow user to be redirected to previous or specific page after login, django has default native parameter NEXT for that. When I want to implement it, this is the way:
login.html template:
It works fine but OWASP scanner flags it as XSLT injection medium priority warning.
What I did then:
Now, POST support is added but OWASP still detects it as XSLT injection. When I removed/disallowed the method get() in OAuth2LoginView, OWASP doesn't detect it anymore.
My question is if you can add even the POST support in login to this library. 🙂
Thanks.
Upvote & Fund
The text was updated successfully, but these errors were encountered: