From b826537cb4aa2358027ffcb1dd6a87274734e962 Mon Sep 17 00:00:00 2001 From: Jason A. Donenfeld Date: Thu, 16 Jan 2014 11:39:17 +0100 Subject: authentication: use hidden form instead of referer This also gives us some CSRF protection. Note that we make use of the hmac to protect the redirect value. Signed-off-by: Jason A. Donenfeld --- cgitrc.5.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'cgitrc.5.txt') diff --git a/cgitrc.5.txt b/cgitrc.5.txt index c45dbd3..682d8bb 100644 --- a/cgitrc.5.txt +++ b/cgitrc.5.txt @@ -662,7 +662,8 @@ auth filter:: the http cookie and return a 0 if it is invalid or 1 if it is invalid, in the exit code / close function. If the filter action is "authenticate-post", this filter receives POST'd parameters on - standard input, and should write to output one or more "Set-Cookie" + standard input, and should write a complete CGI request, preferably + with a 302 redirect, and write to output one or more "Set-Cookie" HTTP headers, each followed by a newline. Please see `filters/simple-authentication.lua` for a clear example -- cgit v1.2.3-70-g09d2