--- e-smith-manager-2.8.0.old/root/etc/e-smith/web/common/cgi-bin/login	2017-01-16 18:52:49.634000000 -0500
+++ e-smith-manager-2.8.0/root/etc/e-smith/web/common/cgi-bin/login	2017-01-19 18:43:52.664000000 -0500
@@ -129,6 +129,13 @@
 my $ip_addr = $at->ignore_ip ? undef : $ENV{REMOTE_ADDR};
 my $redirected = 0;
 
+my $b = URI->new($back);
+# If $back domain doesn't match $AUTH_DOMAIN, stop there do not give opportunity to log in
+my $domain = $AUTH_DOMAIN || $server_name;
+if ($b->host !~ m/\b$domain$/i) {
+    $fatal="Bad redirection parameter: \"$back\" is not an authorized redirection.<br />\nYou may be experiencing an attack.<br />\nLogin is not possible on the above URL for your own security.<br />\nPlease manually enter the address you were trying to reach if you followed a link.";
+  }
+
 # ------------------------------------------------------------------------
 # Set the auth cookie and redirect to $back
 my $set_cookie_redirect = sub {
@@ -156,14 +163,6 @@
   print $q->header( -cookie => $cookie );
 #return 0 if $debug;
 
-  my $b = URI->new($back);
-  # If $back domain doesn't match $AUTH_DOMAIN, pass ticket via back GET param
-  my $domain = $AUTH_DOMAIN || $server_name;
-  if ($b->host !~ m/\b$domain$/i) {
-    $back .= $b->query ? '&' : '?';
-    $back .= $at->cookie_name . '=' . $tkt;
-  }
-
   # For some reason, using a Location: header doesn't seem to then see the 
   #   cookie, but a meta refresh one does - weird
   print $q->start_html(