summaryrefslogtreecommitdiff
path: root/cgitrc.5.txt
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2014-01-16 10:39:17 +0000
committerJason A. Donenfeld <Jason@zx2c4.com>2014-01-16 11:13:39 +0000
commitb826537cb4aa2358027ffcb1dd6a87274734e962 (patch)
tree7c749c66d868cb996828d2b65a4bede58b5ebd62 /cgitrc.5.txt
parentd6e9200cc35411f3f27426b608bcfdef9348e6d3 (diff)
downloadcgit-b826537cb4aa2358027ffcb1dd6a87274734e962.tar
cgit-b826537cb4aa2358027ffcb1dd6a87274734e962.tar.gz
cgit-b826537cb4aa2358027ffcb1dd6a87274734e962.zip
authentication: use hidden form instead of referer
This also gives us some CSRF protection. Note that we make use of the hmac to protect the redirect value. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'cgitrc.5.txt')
-rw-r--r--cgitrc.5.txt3
1 files changed, 2 insertions, 1 deletions
diff --git a/cgitrc.5.txt b/cgitrc.5.txt
index c45dbd3..682d8bb 100644
--- a/cgitrc.5.txt
+++ b/cgitrc.5.txt
@@ -662,7 +662,8 @@ auth filter::
the http cookie and return a 0 if it is invalid or 1 if it is invalid,
in the exit code / close function. If the filter action is
"authenticate-post", this filter receives POST'd parameters on
- standard input, and should write to output one or more "Set-Cookie"
+ standard input, and should write a complete CGI request, preferably
+ with a 302 redirect, and write to output one or more "Set-Cookie"
HTTP headers, each followed by a newline.
Please see `filters/simple-authentication.lua` for a clear example