|
|
@@ -1006,6 +1006,15 @@ implementation details see :ref:`using-the-views`.
|
|
|
authenticated users accessing the login page will be redirected as if
|
|
|
they had just successfully logged in. Defaults to ``False``.
|
|
|
|
|
|
+ .. warning::
|
|
|
+
|
|
|
+ If you enable ``redirect_authenticated_user``, other websites will be
|
|
|
+ able to determine if their visitors are authenticated on your site by
|
|
|
+ requesting redirect URLs to image files on your website. To avoid
|
|
|
+ this "`social media fingerprinting
|
|
|
+ <https://robinlinus.github.io/socialmedia-leak/>`_" information
|
|
|
+ leakage, host all images and your favicon on a separate domain.
|
|
|
+
|
|
|
* ``success_url_allowed_hosts``: A :class:`set` of hosts, in addition to
|
|
|
:meth:`request.get_host() <django.http.HttpRequest.get_host>`, that are
|
|
|
safe for redirecting after login. Defaults to an empty :class:`set`.
|
Markus Holtermann