authentication: use hidden form instead of referer This also gives us some CSRF protection. Note that we make use of the hmac to protect the redirect value. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

commit: b826537cb4aa2358027ffcb1dd6a87274734e962 [log] [tgz]
author: Jason A. Donenfeld <Jason@zx2c4.com> Thu Jan 16 11:39:17 2014 +0100
committer: Jason A. Donenfeld <Jason@zx2c4.com> Thu Jan 16 12:13:39 2014 +0100
tree: 7c749c66d868cb996828d2b65a4bede58b5ebd62
parent: d6e9200cc35411f3f27426b608bcfdef9348e6d3 [diff] [blame]
diff --git a/cgitrc.5.txt b/cgitrc.5.txt
index c45dbd3..682d8bb 100644
--- a/cgitrc.5.txt
+++ b/cgitrc.5.txt

@@ -662,7 +662,8 @@
 	the http cookie and return a 0 if it is invalid or 1 if it is invalid,
 	in the exit code / close function. If the filter action is
 	"authenticate-post", this filter receives POST'd parameters on
-	standard input, and should write to output one or more "Set-Cookie"
+	standard input, and should write a complete CGI request, preferably
+	with a 302 redirect, and write to output one or more "Set-Cookie"
 	HTTP headers, each followed by a newline.
 
 	Please see `filters/simple-authentication.lua` for a clear example
commit	b826537cb4aa2358027ffcb1dd6a87274734e962	[log] [tgz]
author	Jason A. Donenfeld <Jason@zx2c4.com>	Thu Jan 16 11:39:17 2014 +0100
committer	Jason A. Donenfeld <Jason@zx2c4.com>	Thu Jan 16 12:13:39 2014 +0100
tree	7c749c66d868cb996828d2b65a4bede58b5ebd62
parent	d6e9200cc35411f3f27426b608bcfdef9348e6d3 [diff] [blame]