Restrict Access to Page

crash schrieb:
> http://www.w3schools.com/tags/ref_urlencode.asp
>

Thank you - "%2f" means a slash. But why does D8 input these slashes (I
didn't), where do they come from?

Carl

It didn't - your server did. What it's doing is creating a string variable
to feed to your login page to tell the login page (which is located at
whatever/login.php) where to redirect your browser to after it's logged in.

I see I have it as well. I don't know if it raises any valid security
concerns or not, but I would sure rather have it hidden...

Jon

"carl" <carl@nospam.net> wrote in message
news:ecfch0$4nr$1@forums.macromedia.com...
> crash schrieb:
>> http://www.w3schools.com/tags/ref_urlencode.asp
>>
>
> Thank you - "%2f" means a slash. But why does D8 input these slashes (I
> didn't), where do they come from?
>
> Carl

Hi Jon,

wow - I'm not the only one with that code (that's somehow satisfying).
Perhaps someone could tell us what's going on.
Thank you for the response.

Carl


crash wrote:
> It didn't - your server did. What it's doing is creating a string variable
> to feed to your login page to tell the login page (which is located at
> whatever/login.php) where to redirect your browser to after it's logged in.
>
> I see I have it as well. I don't know if it raises any valid security
> concerns or not, but I would sure rather have it hidden...

🙂 I can tell you what's going on. Just not why it's setting it as it as
instead of a session variable or something.

i didn't find anything while looking at this yesterday that said it would
cause a problem- the only thing I found was a reference to Opera having a
vulnerability in regards to the %2f as it relates to domain spoofing.

Looking like everything should be fine, just not pretty. I'll post back if
I find contrary information.

HTH,

Jon
"carl" <carl@nospam.net> wrote in message
news:ecfquq$maa$1@forums.macromedia.com...
> Hi Jon,
>
> wow - I'm not the only one with that code (that's somehow satisfying).
> Perhaps someone could tell us what's going on.
> Thank you for the response.
>
> Carl
>
>
> crash wrote:
>> It didn't - your server did. What it's doing is creating a string
>> variable to feed to your login page to tell the login page (which is
>> located at whatever/login.php) where to redirect your browser to after
>> it's logged in.
>>
>> I see I have it as well. I don't know if it raises any valid security
>> concerns or not, but I would sure rather have it hidden...

Thank you, Jon !!

Carl

crash wrote:
> 🙂 I can tell you what's going on. Just not why it's setting it as it as
> instead of a session variable or something.
>
> i didn't find anything while looking at this yesterday that said it would
> cause a problem- the only thing I found was a reference to Opera having a
> vulnerability in regards to the %2f as it relates to domain spoofing.
>
> Looking like everything should be fine, just not pretty. I'll post back if
> I find contrary information.
>

no worries mate. let me know as well if you find anything nasty about this,
or an easy solution.

the only thing I can think of, is *perhaps* you could spoof a page that had
a different clearance level with an url spoof and try to get into higher
level pages than your username typically allows you.

i'll check on that today at some point.

"carl" <carl@nospam.net> wrote in message
news:echnoa$196$1@forums.macromedia.com...
> Thank you, Jon !!
>
> Carl
>
> crash wrote:
>> 🙂 I can tell you what's going on. Just not why it's setting it as it as
>> instead of a session variable or something.
>>
>> i didn't find anything while looking at this yesterday that said it would
>> cause a problem- the only thing I found was a reference to Opera having a
>> vulnerability in regards to the %2f as it relates to domain spoofing.
>>
>> Looking like everything should be fine, just not pretty. I'll post back
>> if I find contrary information.
>>