Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redirect to last page visited is broken #569

Open
leofeyer opened this issue Jul 9, 2019 · 9 comments

Comments

Projects
None yet
3 participants
@leofeyer
Copy link
Member

commented Jul 9, 2019

The idea behind the "redirect to last page visited" feature is that when a visitor opens a protected page without being logged in, they are redirected to the login page and then back to the page they initially wanted to open. However, the error 401 page does not store the referer, so the redirect cannot work.

@leofeyer leofeyer added the defect label Jul 9, 2019

@leofeyer leofeyer added this to the 4.8 milestone Jul 9, 2019

@Toflar

This comment has been minimized.

Copy link
Member

commented Jul 9, 2019

Sounds like login.html?referrer=/en/protected.html just like in the back end?

@aschempp

This comment has been minimized.

Copy link
Contributor

commented Jul 10, 2019

Isn't that exactly what the login module does? #565

@leofeyer

This comment has been minimized.

Copy link
Member Author

commented Jul 10, 2019

No.

they are redirected to the login page and then back to the page they initially wanted to open. However, the error 401 page does not store the referer, so the redirect cannot work.

@aschempp

This comment has been minimized.

Copy link
Contributor

commented Jul 10, 2019

The 401 page does not store the referrer, but the login module on that page does. So if the user submits the login information, the _target_path will contain the referrer. And the firewall success handler will redirect back to that page (if the user enabled redirectBack in the login module).

@leofeyer

This comment has been minimized.

Copy link
Member Author

commented Jul 11, 2019

No.

  • Open my-account.html without being logged in
  • You will be redirected to login.html
  • The _target_path will not contain my-account.html
@aschempp

This comment has been minimized.

Copy link
Contributor

commented Jul 11, 2019

Sounds like #565 is not working then?

Did you use 2FA while testing this?

@leofeyer

This comment has been minimized.

Copy link
Member Author

commented Jul 11, 2019

#565 relies on the referer being stored in the session, so $this->getReferer() can read it. However, due to the early redirect, the referer is never stored in the session.

@aschempp

This comment has been minimized.

Copy link
Contributor

commented Jul 11, 2019

The whole System::getReferer() method seems related to the back end. I don't know why this was ever used in the front end modules and page. Maybe it would be fixed by simply using Environment::get('httpReferer') ?

@leofeyer

This comment has been minimized.

Copy link
Member Author

commented Jul 11, 2019

Nope, the referrer management was always BE and FE.

Maybe it would be fixed by simply using Environment::get('httpReferer') ?

If there are no security implications (however, I think there are), this could solve the problem. @ausi /cc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.