In my current Play 2 application, the login timeout is after 5 minutes. When the user then clicks on any links in the application, they are redirected to the login page. After successful authentication, they are redirected to the main page.
I implemented a system in which a user is redirected to the page that they were trying to reach before being redirected to the login page.
The system works as follows: when a user with an expired session clicks on an internal link, Deadbolt determines that they are not logged in and redirect them to the login page. Before redirecting, it grabs the destination URL from the request header and stores it in the session. After the user fills out the form to enter the next page, they transfer the details to the authentication action. If authentication is successful, the action checks if the destination URL exists in the session; if so, it clears the item from the session and redirects it to the destination URL; if not, it redirects to the main page.
The destination URL exists as a string for the duration and is entered into the method play.mvc.Results.redirect( String url )as such.
I am wondering if any potential attacks will open up for my application?
source
share