Comment 11 for bug 1440958

if horizon (djanog) redirects to http://hacked_site after login, it would just perform a simple redirect [1] to the hacked site. Horizon stores the session information of the login user in the cookie, but the cookie will be scoped to the domain of horizon. So the bad site it redirected to will not be able to access any of the session information.

[1] https://github.com/django/django/blob/master/django/contrib/auth/views.py#L47-L53