What are the security concerns with redirecting a user after login to a url supplied in the login form?

I have a members area on my site where if a user is not logged in, they are redirected to the login url with ?redirect=[CURRENT_URL] and they are redirected back to [CURRENT_URL] once they successfully login.

What are the potential security issues with this approach, how to prevent them and what are the alternatives?

e.g. a malicious user can link to my site with a redirect link开发者_开发百科 to another site, would that other site be able to steal my user's login cookie? Is it possible to run arbitrary javascript on my site with this approach?

If current url is not redacted, you can be subject to

• XSS (stealing cookies, injecting scripts)
• Response Header Splitting

etc

If you know current URL is a constant and has NO parameters, it's not as risky. As soon as you add parameters or make the url based on user input, trickiness ensues.

A trivial example of XSS:

Say your url can have a query string injected via user input. Then what stops them from saying

redirectUrl="yoursite.jsp?somevariable="alert('malware')"); or redirectUrl="yoursite.jsp?somevariable="alert(document.cookies)");

And stealing your cookies or executing other evil java script.

Response splitting is more complicated. Basically if you can inject a CRLF you can do some very whacky things.

Wikipedia has a decent explanation of this vulnerability - there are others you can find by googling for http response splitting.

I've left out the most obvious attack which is if the user can control the url they can go to a site that LOOKS like yours and convince the user to enter credit cards, credentials etc. Eg if you are a bank, and someone can inject

redirectURL="http://myfakebank.com"

and copies your page, gosh, the user will happily say "Sure, I'll reeenter my credentials"