[security] HTTP and HTTPS URL issue (was RE: security)
Dan Lyke
danlyke at flutterby.com
Fri Oct 27 19:01:33 UTC 2006
On Fri, 27 Oct 2006 11:49:13 -0700, Pete Rowley wrote:
> That was the point of the original attack - causing someone to log
> into an account controlled by the attacker.
Martin's point is that the Relying Party needs to process the
redirected-to URL as the identifier, so if this redirect URL is new to
the Relying Party, it should be treated as an entirely new URL, not
the one the user initially entered.
Dan
More information about the security
mailing list