Open Redirect

[plynchnlm]

We've been running an instance of this, and a security scan flagged the launch_url CGI parameter as having an open redirect vulnerability. The vulnerability has to do with phishing attacks, where you can give someone link that starts with a trustworthy site but actually redirects to some malicious website. Example: https://launch.smarthealthit.org/?launch_url=https://evil.example.com

I think one way to solve this would be changing the initial page to a POST submission, and removing launch_url from the CGI parameters, and then for subsequent links putting the url in a session cookie.