“Imagine you have some kind of system that you administer through a web GUI, such as HotMail, your Netscape Admin server or a site like Zope.org. You get in to work and use this service for a while (check your mail, manage your servers, whatever). For our example, lets say you were using the netscape admin
Later in the day someone sends you an email asking you to look at a web page. You go the page using the browser session where earlier you had logged in to the admin server. However, the page does a redirect to a url of your admin server that causes your main web server to be deleted! The redirect will succeed, as you’ve already logged in to the admin server earlier with sufficient privileges to delete your server.