On Fri, May 15, 2009 at 1:55 PM, Tim Chase <[email protected]> wrote: > One more option that occurs to me is that you can stash all of > the POSTed variables into a session-store with a hash key, > redirect with some sort of "load POST variables from this > hash-key" GET page, and then when the login is done, redirect to > your form, loading the contents from the session-store based on > the key you pass in.
The Django admin used to do this, actually. Then we stopped doing it because it turns out to be a gigantic security hole that can't be closed -- doing this basically consists of building a free CSRF exploit into your site. -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
