|
|
|
|
|
|
by lstamour
972 days ago
|
|
|
Also only allow redirects to your domain or website, not literally anywhere on the internet. And the token should stay in your website’s cookies - it’s unclear why the second redirect would ever need to pass a token if it can read it from site cookies in the first place. |
|
|