The Joomla! Forum ™



Forum rules


Forum Rules
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 139 posts ]  Go to page 1, 2, 3, 4, 5  Next
Author Message
PostPosted: Sun Jan 25, 2009 1:57 am 
Joomla! Guru
Joomla! Guru

Joined: Mon Oct 01, 2007 11:35 am
Posts: 522
I could be wrong but I think in the past after login users were taken to the page where they were before. Now they end up on a page with nothing but this text:
Quote:
User Details
Welcome to the registered user area of our site.

Am I right to think this is a change in 1.5.9? Is there any way to change it back?


Top
 Profile  
 
PostPosted: Sun Jan 25, 2009 7:00 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17222
Location: **Translation Matters**
Please look
http://joomlacode.org/gf/project/joomla ... m_id=14710

If using the module, do not use a redirection to such a menu item,
If using a user login menu item, do not enter the url stated in the tracker as redirection.

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Sun Jan 25, 2009 8:22 am 
Joomla! Guru
Joomla! Guru

Joined: Mon Oct 01, 2007 11:35 am
Posts: 522
Ah, thanks, I forgot to mention that: the login module is, and was, set not to redirect, and there is no login menu item.

While checking it just now, I saw that the help balloon says that if no redirect page is selected then there will be an automatic redirection to the front page. Again, I could well be wrong, but I thought users were taken to the page last visited before login unless, as you pointed out, another page is set.
So that would make the question: is it possible in some way to direct users back to the last visited page, i.e. not to redirect upon login?

Btw, I was prompted to post about this when I noticed last night that the JED now also redirects to an empty page with that welcome message. For some time my browser has logged me into the JED automatically but I seem to remember the redirection was different in the past.


Top
 Profile  
 
PostPosted: Sun Jan 25, 2009 8:58 am 
Joomla! Guru
Joomla! Guru

Joined: Mon Oct 01, 2007 11:35 am
Posts: 522
Puzzled by this and still suspecting a change in the code, I have just compared the files of J!1.5.3 with those of J!1.5.9.

In 1.5.3 mod_login helper.php had this:
Code:
   function getReturnURL($params, $type)
   {
      if($itemid =  $params->get($type))
      {
         $menu =& JSite::getMenu();
         $item = $menu->getItem($itemid);
         $url = $item->link;
      }
      else
      {
         // Redirect to login
         $uri = JFactory::getURI();
         $url = $uri->toString();
      }

      return base64_encode($url);
   }

In 1.5.9 this was changed to the following:
Code:
   function getReturnURL($params, $type)
   {
      if($itemid =  $params->get($type))
      {
         $menu =& JSite::getMenu();
         $item = $menu->getItem($itemid);
         $url = JRoute::_($item->link.'&Itemid='.$itemid, false);
      }
      else
      {
         $url = JURI::base(true);
      }

      return base64_encode($url);
   }


I think the 1.5.3 lines marked by the comment "// Redirect to login" would redirect to the page where the login button was clicked, and I think JURI::base in 1.5.9 effectively means the front page.
If so, then indeed it was possible in the past not to set a redirection page so as to make users return to the previous page, whereas now there will always be redirection whether to the front page or, if and as set by the administrator, elsewhere.
Frankly, if this is not a bug it is certainly no improvement.

So, what I am going to do is to change my files as follows, and I hope 1.5.10 will have the same:
Code:
add in xml:
<param name="redirect" type="radio" default="0" label="Redirect" description="Redirect to home page or elsewhere as selected">
   <option value="0">No</option>
   <option value="1">Yes</option>
</param>

change in helper.php
   function getReturnURL($params, $type)
   {
      $redirection = $params->get( 'redirect', 0 )
      if ($redirection!=0)
      {
         if($itemid =  $params->get($type))
         {
            $menu =& JSite::getMenu();
            $item = $menu->getItem($itemid);
            $url = JRoute::_($item->link.'&Itemid='.$itemid, false);
         }
         else
         {
            $url = JURI::base(true);
         }
      } else
      {
         // Redirect to login
         $uri = JFactory::getURI();
         $url = $uri->toString();
      }

      return base64_encode($url);
   }

I have not tested it yet, but something like this should preserve the old functionality while adding the new functionality.


Top
 Profile  
 
PostPosted: Sun Jan 25, 2009 10:18 am 
User avatar
Joomla! Exemplar
Joomla! Exemplar

Joined: Thu Aug 18, 2005 8:43 pm
Posts: 7986
Location: New York
There was a security fix that filters redirects through isInternal which is part of what you are seeing there.

There was also a problem for users who did not have a referrer set. I think the changes made also address that.

_________________
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.


Top
 Profile  
 
PostPosted: Sun Jan 25, 2009 10:44 am 
Joomla! Guru
Joomla! Guru

Joined: Mon Oct 01, 2007 11:35 am
Posts: 522
Thanks for the info, but I am not sure if I completely understand. I guess what you are saying is that the new code prevents that someone could manipulate the URL to abuse of the redirect to the same page, and that sometimes there was no current page to redirect back to? I am not sure that I understand because I am assuming one needs an existing page to find the login module.

I wonder if there would not have been a way to close a security gap which would still allow users to get back to the page where they were. Personally I dislike it very much when I am forced to again browse to the page where I already was, and I would like to avoid inflicting this on my users.

How big is the security issue that the new code aims to fix? Would I be irresponsible to revert back to the old code for a small, nearly unnoticed but frequently backed-up website?


Top
 Profile  
 
PostPosted: Sun Jan 25, 2009 2:51 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Jan 25, 2009 6:00 am
Posts: 4
ewel wrote:
Thanks for the info, but I am not sure if I completely understand. I guess what you are saying is that the new code prevents that someone could manipulate the URL to abuse of the redirect to the same page, and that sometimes there was no current page to redirect back to? I am not sure that I understand because I am assuming one needs an existing page to find the login module.

I wonder if there would not have been a way to close a security gap which would still allow users to get back to the page where they were. Personally I dislike it very much when I am forced to again browse to the page where I already was, and I would like to avoid inflicting this on my users.

How big is the security issue that the new code aims to fix? Would I be irresponsible to revert back to the old code for a small, nearly unnoticed but frequently backed-up website?



I agree with you on this. I think it explains my question from yesterday:

viewtopic.php?p=1561994#p1561994

If it's a security fix, then the fix was to lose functionality.

If you auto login because the "remember me" option was selected, then the return parameter should not be ignored.
It works if you use the form, why shouldn't it work if auto-login because "remember me" was seletected?

I can understand that you don't want the return to be abused by anyone using your site for redirects, but the redirection only happens after a successful login.

This is a bug.


Top
 Profile  
 
PostPosted: Sun Jan 25, 2009 5:15 pm 
User avatar
Joomla! Exemplar
Joomla! Exemplar

Joined: Thu Aug 18, 2005 8:43 pm
Posts: 7986
Location: New York
No, because you could be redirected to a hostile site before the isInternal. You really do not want that to happen.

I agree that it is very strange that the form and the module are handling the redirects differently. Well the form by definition doesn't sure the referrer to redirect whereas as you point out, before that was the default behavior. I spent some time on a related issue last week and it was a puzzle there too. Further, why does the module use JRoute for the redirect but the component does not?

If you think you have a code solution to this please post it to the tracker. However please remember to test it with the referrer off (this is a setting of your browser).

_________________
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.


Top
 Profile  
 
PostPosted: Sun Jan 25, 2009 6:06 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Jan 25, 2009 6:00 am
Posts: 4
mcsmom wrote:
No, because you could be redirected to a hostile site before the isInternal. You really do not want that to happen.

I agree that it is very strange that the form and the module are handling the redirects differently. Well the form by definition doesn't sure the referrer to redirect whereas as you point out, before that was the default behavior. I spent some time on a related issue last week and it was a puzzle there too. Further, why does the module use JRoute for the redirect but the component does not?

If you think you have a code solution to this please post it to the tracker. However please remember to test it with the referrer off (this is a setting of your browser).



I'll definitely need this to work with referrer off.

When you say module, which module are your referring to? I assumed that the "remember me" functionality was handled by a plugin.

Part of the problem could be that if remember me was NOT selected and I redirect my other application to "/index.php?option=com_user&view=login&return=[endcodedUrl]", there is another post with a task set and the redirect occurs.

If remember me was previously selected, then authentication occurs. Since no task is selected the view is just displayed, which contains just the message and the logout button.

This behavior is what makes integration with apps outside of joomla difficult. Either the controller or the user.php needs to be smarter. Or whatever code that handles the "remember me" functionaliy needs to be able to check the host and handle redirect itself.

BTW, do you know where the code is at that handles the remember me functionality? I'd love to help out, but I'm not sure exactly where to look yet.


Top
 Profile  
 
PostPosted: Sun Jan 25, 2009 8:36 pm 
Joomla! Guru
Joomla! Guru

Joined: Mon Oct 01, 2007 11:35 am
Posts: 522
I am probably still not understanding the depth of the issue..

If isInternal is the key to success, wouldn't this work?
Code:
// Redirect to login
$uri = JFactory::getURI();
$url = (isInternal( $uri )) ? $uri->toString() : JURI::base(true);


Top
 Profile  
 
PostPosted: Mon Jan 26, 2009 3:23 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Jan 25, 2009 6:00 am
Posts: 4
ewel wrote:
I am probably still not understanding the depth of the issue..

If isInternal is the key to success, wouldn't this work?
Code:
// Redirect to login
$uri = JFactory::getURI();
$url = (isInternal( $uri )) ? $uri->toString() : JURI::base(true);



It's definitely the API call to use, I just don't know yet where the best place is to put the redirect.


Top
 Profile  
 
PostPosted: Mon Jan 26, 2009 7:24 am 
Joomla! Guru
Joomla! Guru

Joined: Mon Oct 01, 2007 11:35 am
Posts: 522
My focus was on keeping users at the same page when they use the module to login. Just now I also tested if there is a redirect if a user visits a page with registered users content, but there the user is passed back to the article as normal. So from what I can see and understand, the issue is with the module.

As to the module, above I showed the changes in the code which effectively lead to a redirection to a page with a User Details message. Then I merged the old and the new by adding a parameter allowing a choice between no redirection in the old way and redirection in the new way of J!1.5.9. When no redirection is set, aparently using isInternal makes all the difference, and this could be inserted as per my previous post.

So, all in all, this should work and I think it's time to try this on my website to see what happens.


Top
 Profile  
 
PostPosted: Wed Jan 28, 2009 7:46 am 
Joomla! Guru
Joomla! Guru

Joined: Mon Oct 01, 2007 11:35 am
Posts: 522
I tested the below code, and it all seems to work.

in mod_login's helper.php file
Code:
class modLoginHelper {

   function getReturnURL($params, $type) {
      $redirectornot = $params->get( 'redirect', 0 );
      if ($redirectornot == 1) {
         if($itemid =  $params->get($type)) {
            $menu =& JSite::getMenu();
            $item = $menu->getItem($itemid);
            $url = JRoute::_($item->link.'&Itemid='.$itemid, false);
         } else {
            $url = JURI::base(true);
         }
      } else {
         $juri = JFactory::getURI();
         $uri = $juri->toString();
         if ( JURI::isInternal($uri) && !empty($uri) ) {
            $url = $uri;
         } else {
            $url = JURI::base(true);
         }
      }
      return base64_encode($url);
   }

   function getType() {
      $user = & JFactory::getUser();
      return (!$user->get('guest')) ? 'logout' : 'login';
   }
}

in mod_login.xml installation file
Code:
<param name="redirect" type="radio" default="0" label="Redirect" description="Redirect to home page or elsewhere as selected">
   <option value="0">No</option>
   <option value="1">Yes</option>
</param>

It is bad enough that I make users register but making them search the page they found after they login would be so much worse, so I am very glad I seem to have gotten rid of all redirections!

If any core members are reading this thread I would appreciate a comment about whether my code is utterly stupid or not, and whether it would be possible to do something to the same effect in the next version of Joomla.

Since apparently there are security issues involved I will just note that I do not recommend that anyone uses this code instead of the original core code in the lastest version and that anyone using this code does so at his/her own risk - certainly not at mine.


Top
 Profile  
 
PostPosted: Mon Feb 02, 2009 4:59 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Jan 10, 2008 1:43 pm
Posts: 190
I have a related problem, I think. When you create an account on my site the page redirects to the home page with no message to say welcome, etc. You don't know if you registered or not. If you fill in the contact form, the page redirects to a blank contact form, so you have no way of knowing the message was sent.

Is something corrupted in my joomla 1.5.9 files? What can I do to fix this -- I don't think I'm knowlegable enough to monkey around with the php files too much.


Top
 Profile  
 
PostPosted: Sat Feb 07, 2009 12:46 am 
User avatar
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Nov 07, 2006 9:27 am
Posts: 3
Location: Los Angeles, CA, USA
ewel wrote:
I tested the below code, and it all seems to work.


Wow does it! I thought I was going to scream trying to get the login/logout page to redirect to somewhere useful because when I tried to use an "External Link" as my redirect page and set it back to index.php, it never worked. That would be an awesome awesome addition to the next Joomla! update so we don't have to make sure those files aren't overwritten...hint hint to whoever handles that. ;) I'm sure it was removed for a reason, but it was really very necessary step to keep the website simple for clients to navigate.

I too am having the problem with the registration not redirecting to a "successful registration" page or providing instructions on what they must do next (activate their account). This problem occurs even without the above modifications present. There also isn't a message if the user typed in their user ID or password incorrectly. My site just clears the login form which could be confused for problems with cookies. Any help/advise would be greatly appreciated.


Last edited by dianascherff on Sat Feb 07, 2009 1:11 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Sat Feb 07, 2009 1:05 am 
Joomla! Guru
Joomla! Guru

Joined: Mon Oct 01, 2007 11:35 am
Posts: 522
Redirecting for security reasons is a little bit like forcing women to leave their hand bags at the entrance of the super market: very secure but also certain to turn people away. For myself I see no point in an empty but secure super market.


Top
 Profile  
 
PostPosted: Sat Feb 07, 2009 2:19 am 
User avatar
Joomla! Exemplar
Joomla! Exemplar

Joined: Thu Aug 18, 2005 8:43 pm
Posts: 7986
Location: New York
No one cares about security until their site has been hacked.

_________________
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.


Top
 Profile  
 
PostPosted: Sat Feb 07, 2009 7:50 am 
Joomla! Guru
Joomla! Guru

Joined: Mon Oct 01, 2007 11:35 am
Posts: 522
I was one of them until I had a site cracked a good year ago. Now I use much of the security check list to make it easier for burglars to go next door. So I do appreciate the importance of security, but I also appreciate that a website is there for visitors. Security is one of the means to maintaining a website, and I am not prepared to see it as the purpose. The means should only detract from the purpose if there is no alternative - and speaking for myself I feel I have an alternative.


Top
 Profile  
 
PostPosted: Wed Feb 25, 2009 4:27 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Jul 24, 2008 2:20 am
Posts: 29
Just wondering if there was any final word on this?
Will an update be available in the next version of J!?

I have the same issue. I set up an internal website for my company and there's protected content within the site. Users can't access documents (DOCman) as a guest but they can if they sign on.
But having them go back to the Home Page when they log on just sucks from a usability standpoint.

What makes it more of an issue for me is that I just introduced this board to the company and now the behavior has changed b/c I upgraded from 1.5.8 to 1.5.9.

I'm going to implement the code hack noted above and document it on my wiki for future updates but what a pain in the arse. I've been trying to avoid hacks at all cost just for this reason but I feel it's really important to be able to stay at the page you were on and NOT be redirected after logging in. (thanks for the code.....) ;)


Top
 Profile  
 
PostPosted: Wed Feb 25, 2009 10:48 pm 
User avatar
Joomla! Fledgling
Joomla! Fledgling

Joined: Wed Feb 25, 2009 10:45 pm
Posts: 3
Location: Adriatic
I have the same issue with redirects, my users have option to login to post comments with their username, login form placed conveniently under the article comment form, but after the login they're redirected to successful login page and they DO HATE to look again for the article in order to comment it.

I really think this should be fixed in core files, I'd hate to use insecure hacks.

Same redirect to previous page is available at this very forum - why disable it for the rest of us ?


Top
 Profile  
 
PostPosted: Thu Feb 26, 2009 5:03 am 
Joomla! Guru
Joomla! Guru

Joined: Mon Oct 01, 2007 11:35 am
Posts: 522
retush wrote:
I'd hate to use insecure hacks.

Quite right.

retush wrote:
Same redirect to previous page is available at this very forum - why disable it for the rest of us ?

Very good point! Why is that? Is this site not up to date with security or is does it use a hack that we could all use?

How important does the core team think this issue is? Seeing the number of views of this thread it seems that it is an issue of interest to many users.


Top
 Profile  
 
PostPosted: Thu Feb 26, 2009 9:12 am 
User avatar
Joomla! Exemplar
Joomla! Exemplar

Joined: Thu Aug 18, 2005 8:43 pm
Posts: 7986
Location: New York
First of all, this forum is not Joomla it is phpbb.


@dlebreaux

There is no reason to redirect to the home page, use the redirect parameter to send users to an appropriate page.

_________________
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.


Top
 Profile  
 
PostPosted: Thu Feb 26, 2009 9:24 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Mar 15, 2006 10:30 am
Posts: 28
Location: Sweden
Hi.
We do not want any redirect.
We want the user to stay on the page he/she was at when logging in, also after logging in is complete.

How can that be achieved?

/Sven


Top
 Profile  
 
PostPosted: Thu Feb 26, 2009 11:31 am 
Joomla! Guru
Joomla! Guru

Joined: Mon Oct 01, 2007 11:35 am
Posts: 522
Let me just stress this: when a visitor logs in it usually means that he found what he was looking for. Then in principle it is very counter-productive to send the visitor anywhere else than the page that inspired him to log in.


Top
 Profile  
 
PostPosted: Thu Feb 26, 2009 5:23 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Jul 24, 2008 2:20 am
Posts: 29
mcsmom - the issue with your logic is here -
"use the redirect parameter to send users to an appropriate page".

The "appropriate page" is the page that they're on.
There is no setting in Joomla to say "current page".

Have you updated to 1.5.9 yet? If so you can test this yourself.


Top
 Profile  
 
PostPosted: Thu Feb 26, 2009 6:45 pm 
User avatar
Joomla! Fledgling
Joomla! Fledgling

Joined: Wed Feb 25, 2009 10:45 pm
Posts: 3
Location: Adriatic
mcsmom wrote:
First of all, this forum is not Joomla it is phpbb.


OK, I am aware that this is PHPBB, but I was reffering to the user login functionality of this very forum, handling the login redirects in a manner we would like to reinstate back to Joomla.


Top
 Profile  
 
PostPosted: Sat Feb 28, 2009 1:08 am 
User avatar
Joomla! Virtuoso
Joomla! Virtuoso

Joined: Sun Apr 06, 2008 4:44 am
Posts: 3290
Location: Seattle, WA, USA
Ok. I'm looking into this now. I should have an update in a day or so. Thanks for your patience. If we can figure out a way to get this behaviour back without breaking something else, it makes sense to do it. Thanks. Mark

_________________
Mark Dexter
"Well...how did I get here?"


Top
 Profile  
 
PostPosted: Sat Feb 28, 2009 12:41 pm 
User avatar
Joomla! Exemplar
Joomla! Exemplar

Joined: Thu Aug 18, 2005 8:43 pm
Posts: 7986
Location: New York
Mark, should this whole thread get moved to quality and testing? It doesn't really belong in this forum since it is really an issue report.

_________________
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.


Top
 Profile  
 
PostPosted: Sat Feb 28, 2009 7:22 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Thu Aug 18, 2005 7:13 am
Posts: 16536
Moved to 1.5 Q&T forum.

_________________
Joomla forum global moderator.

Have fun


Top
 Profile  
 
PostPosted: Mon Mar 02, 2009 12:06 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Mon Mar 02, 2009 12:04 am
Posts: 1
Thank you! You are an absolute star!


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 139 posts ]  Go to page 1, 2, 3, 4, 5  Next



Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group