Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redirect Back #991

Closed
natanfelles opened this issue Apr 20, 2018 · 2 comments
Closed

Redirect Back #991

natanfelles opened this issue Apr 20, 2018 · 2 comments

Comments

@natanfelles
Copy link
Contributor

Situation:

I created two pages, one for editing and another for updating data.

The edit page has a POST form with the address of the update page in the action param.

The update page interacts with the database and redirects back to the edit page with:

return redirect()->back()->with('alert', [
	'type'    => 'success',
	'content' => 'Post successful updated.',
]);

Ok. But...

The following issue occurs:

After entering the editing page, I open a new tab in the browser and visit other pages. Returning to the editing page, when I send the form the redirect goes to the last page accessed in the other tab.

This is because the previous URL (last accessed) is saved in the session:

https://github.com/bcit-ci/CodeIgniter4/blob/789067350c9a010921b73e18c0cea8254a69d7d5/system/CodeIgniter.php#L833-L845

My doubt is: Is really needed to save the last page in the session and use it instead of only trusting the HTTP Referer?

https://github.com/bcit-ci/CodeIgniter4/blob/789067350c9a010921b73e18c0cea8254a69d7d5/system/Helpers/url_helper.php#L182-L192

https://github.com/bcit-ci/CodeIgniter4/blob/789067350c9a010921b73e18c0cea8254a69d7d5/system/HTTP/RedirectResponse.php#L101-L106

Because HTTP Referer stores where the request came from and not the last accessed page as the session do (which can be any other on the site, on another browser tab).
@lonnieezell
Copy link
Member

Yes, we need it for a couple of reasons. Not the least of which is security. Any of the HTTP_ headers can be set on the client level so if we don't store URL's ourselves it could easily be abused during phishing attempts, inserted javascript files, etc to redirect the user back to another site for an instant, grab the user's old form data, and send them back to the page. The URI that we saved is cleaned up and only uses the host set in Config\App\appURL so should protect the user against a lot of that.

There were also some usability issues I encountered during testing that I don't recall at the moment, but that caused them to not be accurate. One thing you could potentially do is to set the previous URL in a header and save it in your page. I don't think we could make that work on a framework level, unfortunately, but it could save it on a per-page basis that way...

@natanfelles
Copy link
Contributor Author

Uhm, I get it.

Now I think the easiest implementation could be redirecting straight to an URI or a named route(), then. Avoiding the back() in this case.

Thank you again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lonnieezell @natanfelles