[#17151] - Login Menuitem seems buggy is not redirecting
- Closed
- 27 Sep 2017
- Medium
- Build: 3.7.3
- # 17151
Steps to reproduce the issue
Hi,
i created:
- Joomla Menuitem "Login" with Loginform (public)
- some "Menuitem X" with regristed access
I setup the Login redirection to that other "Menuitem X"
Problem in Frontend:
after Login theres a Fail, its not redirecting. Error Messages shows something about:
"Error - not allowed to see resources"
"Fehler - Es ist nicht erlaubt diese Ressource einzusehen!"
Menu Item works.
Some other had this Problem not with admin account but with normal registered User.
I tested both, i have Problem with booth.
Additionally if i switch (within the Login Menuitem) the redirect after Login to manual URL and back to Internal URL i have to save it twice cause the Switch goes back.
All together: I have a Problem, seems Buggy, redirection works not correct, at my opinion this is a basic "Login, get Access" Process which should work.
Its easy to replicate.
Joomla 3.7.3
PHP 7.0.x
SEF active
Nearly new JOOMLA Installation.
Expected result
Actual result
System information (as much as possible)
Additional comments
Votes
joomla-cms-bot
- | Category | ⇒ | Authentication |
Here are the translation of the german part of the last message:
Can save a article, but no return to the original site. Must abort. However, the post is saved. When using BreezingForms no transmission possible. According to Hoster, a bug in Joomla 7.3.3. Databases have been reviewed. Are OK.
| Status | New | ⇒ | Discussion |
I have the same issue. I added print_r($return); to my default log in file and just shows the sites url not the redirect url.
If I modifiy the default_login.php replacing the input at (about line 83) with this (from a joomla 3.6.5 file)
<input type="hidden" name="return" value="<?php echo base64_encode($this->params->get('login_redirect_url', $this->form->getValue('return'))); ?>" />
the redirect works.
In my case $return is not being passed the redirect url parameters.
Steve
Joomla 3.7.4
PHP 7.1.4
I used something like (Sample Sites in sample sql)
index.php?option=com_content&view=article&id=38
tested on an updated 3.4.5 and I had no issue, whether before killing the session or logging with another browser where no session gomovies was set.
No issue either when using
http://localhost:8888/Joomla_3.4.5/index.php/content-modules here.
I personally worked on this for the Joomla 3.4.6 release.
There is no regression - there is a security fix.
Let me explain, prior to Joomla 3.4.6 there was a security bug that allowed a hacker to redirect a user after login through incorrect use of the redirect url, as it can be overwritten by user supplied data.
In Joomla 3.4.6 additional hardening of JURI::isInternal() took place - with full unit testing (a rare thing in Joomla!) the isInternal() function was truely hardened.
To be clear, as the docs are not, the redirect url MUST be an internal url, it MUST start with index.php? and be a non-sef url.
Examples:
index.php?option=com_content&view=article&id=38
Incorrect examples of a redirect url:
http://bbc.co.uk/
http://mysite.com/blog
/blog
Yes these might have worked in the past - but that was due to a bug in the way Joomla validated the urls. Now that security has been applied and the urls tested correctly the above examples will fail.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17151.
@bindibindi266 do i understand correct that the Issue is expected Behaviour?
| Status | Discussion | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-09-27 23:20:49 |
| Closed_By | ⇒ | brianteeman |
Yes it is the expected behaviour that for security purposes the redirect must be to an internal url
it is solved now. these all issues have been solved now. tested on an updated 3.4.5 and I had no issue, whether before killing the session or logging with another browser where no session gomovies was set.No issue either when using
http://localhost:8888/Joomla_3.4.5/index.php/content-modules here.
I personally worked on this for the Joomla 3.4.6 release.
There is no regression - there is a security fix.
Let me explain, prior to Joomla 3.4.6 there was a security bug that allowed a hacker to redirect a user after login through incorrect use of the redirect url, as it can be overwritten by user supplied data.
In Joomla 3.4.6 additional hardening of JURI::isInternal() took place - with full unit testing (a rare thing in Joomla!) the isInternal() function was truely hardened.
To be clear, as the docs are not, the redirect url MUST be an internal url, it MUST start with index.php? and be a non-sef url.
Examples:
index.php?option=com_content&view=article&id=38
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17151.
Hi,
The issue I have with this is that JRoute::_("index.php?ItemId=38") will return /index.php?option=com_whatever&anything=really, with a leading '/'.
So I should not use JRoute::_($url) anymore, at least not for login?
Can you please open a new issue containing all details required? This is a closed issue since sep 2017. Else we can't track the issues. Thanks.
After Login (Frontend) i can Save but without redirecting. I Must Break Operation.
Abspeichern eines Beitrags möglich, jedoch keine Rückführung auf die ursprüngliche Site. Muss abbrechen. Beitrag wird jedoch gespeichert. Bei Nutzung von BreezingForms keine Absendung möglich. Laut Hoster ein Bug in Joomla 7.3.3. Datenbanken wurden überprüft. Sind ok.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17151.