No auto login redirect to same page anymore?

This forum is for reporting bugs in Joomla!. Please don't report problems with extensions in here.
ewel
Joomla! Guru
Joomla! Guru
Posts: 522
Joined: Mon Oct 01, 2007 11:35 am

No auto login redirect to same page anymore?

Post by ewel » Sun Jan 25, 2009 1:57 am

I could be wrong but I think in the past after login users were taken to the page where they were before. Now they end up on a page with nothing but this text:
User Details
Welcome to the registered user area of our site.
Am I right to think this is a change in 1.5.9? Is there any way to change it back?

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: No auto login redirect to same page anymore?

Post by infograf768 » Sun Jan 25, 2009 7:00 am

Please look
http://joomlacode.org/gf/project/joomla ... m_id=14710

If using the module, do not use a redirection to such a menu item,
If using a user login menu item, do not enter the url stated in the tracker as redirection.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

ewel
Joomla! Guru
Joomla! Guru
Posts: 522
Joined: Mon Oct 01, 2007 11:35 am

Re: No auto login redirect to same page anymore?

Post by ewel » Sun Jan 25, 2009 8:22 am

Ah, thanks, I forgot to mention that: the login module is, and was, set not to redirect, and there is no login menu item.

While checking it just now, I saw that the help balloon says that if no redirect page is selected then there will be an automatic redirection to the front page. Again, I could well be wrong, but I thought users were taken to the page last visited before login unless, as you pointed out, another page is set.
So that would make the question: is it possible in some way to direct users back to the last visited page, i.e. not to redirect upon login?

Btw, I was prompted to post about this when I noticed last night that the JED now also redirects to an empty page with that welcome message. For some time my browser has logged me into the JED automatically but I seem to remember the redirection was different in the past.

ewel
Joomla! Guru
Joomla! Guru
Posts: 522
Joined: Mon Oct 01, 2007 11:35 am

Re: No auto login redirect to same page anymore?

Post by ewel » Sun Jan 25, 2009 8:58 am

Puzzled by this and still suspecting a change in the code, I have just compared the files of J!1.5.3 with those of J!1.5.9.

In 1.5.3 mod_login helper.php had this:

Code: Select all

	function getReturnURL($params, $type)
	{
		if($itemid =  $params->get($type))
		{
			$menu =& JSite::getMenu();
			$item = $menu->getItem($itemid);
			$url = $item->link;
		}
		else
		{
			// Redirect to login
			$uri = JFactory::getURI();
			$url = $uri->toString();
		}

		return base64_encode($url);
	}
In 1.5.9 this was changed to the following:

Code: Select all

	function getReturnURL($params, $type)
	{
		if($itemid =  $params->get($type))
		{
			$menu =& JSite::getMenu();
			$item = $menu->getItem($itemid);
			$url = JRoute::_($item->link.'&Itemid='.$itemid, false);
		}
		else
		{
			$url = JURI::base(true);
		}

		return base64_encode($url);
	}
I think the 1.5.3 lines marked by the comment "// Redirect to login" would redirect to the page where the login button was clicked, and I think JURI::base in 1.5.9 effectively means the front page.
If so, then indeed it was possible in the past not to set a redirection page so as to make users return to the previous page, whereas now there will always be redirection whether to the front page or, if and as set by the administrator, elsewhere.
Frankly, if this is not a bug it is certainly no improvement.

So, what I am going to do is to change my files as follows, and I hope 1.5.10 will have the same:

Code: Select all

add in xml:
<param name="redirect" type="radio" default="0" label="Redirect" description="Redirect to home page or elsewhere as selected">
	<option value="0">No</option>
	<option value="1">Yes</option>
</param>

change in helper.php
	function getReturnURL($params, $type)
	{
		$redirection = $params->get( 'redirect', 0 )
		if ($redirection!=0)
		{
			if($itemid =  $params->get($type))
			{
				$menu =& JSite::getMenu();
				$item = $menu->getItem($itemid);
				$url = JRoute::_($item->link.'&Itemid='.$itemid, false);
			}
			else
			{
				$url = JURI::base(true);
			}
		} else
		{
			// Redirect to login
			$uri = JFactory::getURI();
			$url = $uri->toString();
		}

		return base64_encode($url);
	}
I have not tested it yet, but something like this should preserve the old functionality while adding the new functionality.

User avatar
mcsmom
Joomla! Exemplar
Joomla! Exemplar
Posts: 7897
Joined: Thu Aug 18, 2005 8:43 pm
Location: New York
Contact:

Re: No auto login redirect to same page anymore?

Post by mcsmom » Sun Jan 25, 2009 10:18 am

There was a security fix that filters redirects through isInternal which is part of what you are seeing there.

There was also a problem for users who did not have a referrer set. I think the changes made also address that.
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.

ewel
Joomla! Guru
Joomla! Guru
Posts: 522
Joined: Mon Oct 01, 2007 11:35 am

Re: No auto login redirect to same page anymore?

Post by ewel » Sun Jan 25, 2009 10:44 am

Thanks for the info, but I am not sure if I completely understand. I guess what you are saying is that the new code prevents that someone could manipulate the URL to abuse of the redirect to the same page, and that sometimes there was no current page to redirect back to? I am not sure that I understand because I am assuming one needs an existing page to find the login module.

I wonder if there would not have been a way to close a security gap which would still allow users to get back to the page where they were. Personally I dislike it very much when I am forced to again browse to the page where I already was, and I would like to avoid inflicting this on my users.

How big is the security issue that the new code aims to fix? Would I be irresponsible to revert back to the old code for a small, nearly unnoticed but frequently backed-up website?

monteslu
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Sun Jan 25, 2009 6:00 am

Re: No auto login redirect to same page anymore?

Post by monteslu » Sun Jan 25, 2009 2:51 pm

ewel wrote:Thanks for the info, but I am not sure if I completely understand. I guess what you are saying is that the new code prevents that someone could manipulate the URL to abuse of the redirect to the same page, and that sometimes there was no current page to redirect back to? I am not sure that I understand because I am assuming one needs an existing page to find the login module.

I wonder if there would not have been a way to close a security gap which would still allow users to get back to the page where they were. Personally I dislike it very much when I am forced to again browse to the page where I already was, and I would like to avoid inflicting this on my users.

How big is the security issue that the new code aims to fix? Would I be irresponsible to revert back to the old code for a small, nearly unnoticed but frequently backed-up website?

I agree with you on this. I think it explains my question from yesterday:

http://forum.joomla.org/viewtopic.php?p ... 4#p1561994

If it's a security fix, then the fix was to lose functionality.

If you auto login because the "remember me" option was selected, then the return parameter should not be ignored.
It works if you use the form, why shouldn't it work if auto-login because "remember me" was seletected?

I can understand that you don't want the return to be abused by anyone using your site for redirects, but the redirection only happens after a successful login.

This is a bug.

User avatar
mcsmom
Joomla! Exemplar
Joomla! Exemplar
Posts: 7897
Joined: Thu Aug 18, 2005 8:43 pm
Location: New York
Contact:

Re: No auto login redirect to same page anymore?

Post by mcsmom » Sun Jan 25, 2009 5:15 pm

No, because you could be redirected to a hostile site before the isInternal. You really do not want that to happen.

I agree that it is very strange that the form and the module are handling the redirects differently. Well the form by definition doesn't sure the referrer to redirect whereas as you point out, before that was the default behavior. I spent some time on a related issue last week and it was a puzzle there too. Further, why does the module use JRoute for the redirect but the component does not?

If you think you have a code solution to this please post it to the tracker. However please remember to test it with the referrer off (this is a setting of your browser).
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.

monteslu
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Sun Jan 25, 2009 6:00 am

Re: No auto login redirect to same page anymore?

Post by monteslu » Sun Jan 25, 2009 6:06 pm

mcsmom wrote:No, because you could be redirected to a hostile site before the isInternal. You really do not want that to happen.

I agree that it is very strange that the form and the module are handling the redirects differently. Well the form by definition doesn't sure the referrer to redirect whereas as you point out, before that was the default behavior. I spent some time on a related issue last week and it was a puzzle there too. Further, why does the module use JRoute for the redirect but the component does not?

If you think you have a code solution to this please post it to the tracker. However please remember to test it with the referrer off (this is a setting of your browser).

I'll definitely need this to work with referrer off.

When you say module, which module are your referring to? I assumed that the "remember me" functionality was handled by a plugin.

Part of the problem could be that if remember me was NOT selected and I redirect my other application to "/index.php?option=com_user&view=login&return=[endcodedUrl]", there is another post with a task set and the redirect occurs.

If remember me was previously selected, then authentication occurs. Since no task is selected the view is just displayed, which contains just the message and the logout button.

This behavior is what makes integration with apps outside of joomla difficult. Either the controller or the user.php needs to be smarter. Or whatever code that handles the "remember me" functionaliy needs to be able to check the host and handle redirect itself.

BTW, do you know where the code is at that handles the remember me functionality? I'd love to help out, but I'm not sure exactly where to look yet.

ewel
Joomla! Guru
Joomla! Guru
Posts: 522
Joined: Mon Oct 01, 2007 11:35 am

Re: No auto login redirect to same page anymore?

Post by ewel » Sun Jan 25, 2009 8:36 pm

I am probably still not understanding the depth of the issue..

If isInternal is the key to success, wouldn't this work?

Code: Select all

// Redirect to login
$uri = JFactory::getURI();
$url = (isInternal( $uri )) ? $uri->toString() : JURI::base(true);

monteslu
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Sun Jan 25, 2009 6:00 am

Re: No auto login redirect to same page anymore?

Post by monteslu » Mon Jan 26, 2009 3:23 am

ewel wrote:I am probably still not understanding the depth of the issue..

If isInternal is the key to success, wouldn't this work?

Code: Select all

// Redirect to login
$uri = JFactory::getURI();
$url = (isInternal( $uri )) ? $uri->toString() : JURI::base(true);

It's definitely the API call to use, I just don't know yet where the best place is to put the redirect.

ewel
Joomla! Guru
Joomla! Guru
Posts: 522
Joined: Mon Oct 01, 2007 11:35 am

Re: No auto login redirect to same page anymore?

Post by ewel » Mon Jan 26, 2009 7:24 am

My focus was on keeping users at the same page when they use the module to login. Just now I also tested if there is a redirect if a user visits a page with registered users content, but there the user is passed back to the article as normal. So from what I can see and understand, the issue is with the module.

As to the module, above I showed the changes in the code which effectively lead to a redirection to a page with a User Details message. Then I merged the old and the new by adding a parameter allowing a choice between no redirection in the old way and redirection in the new way of J!1.5.9. When no redirection is set, aparently using isInternal makes all the difference, and this could be inserted as per my previous post.

So, all in all, this should work and I think it's time to try this on my website to see what happens.

ewel
Joomla! Guru
Joomla! Guru
Posts: 522
Joined: Mon Oct 01, 2007 11:35 am

Re: No auto login redirect to same page anymore?

Post by ewel » Wed Jan 28, 2009 7:46 am

I tested the below code, and it all seems to work.

in mod_login's helper.php file

Code: Select all

class modLoginHelper {

	function getReturnURL($params, $type) {
		$redirectornot = $params->get( 'redirect', 0 );
		if ($redirectornot == 1) {
			if($itemid =  $params->get($type)) {
				$menu =& JSite::getMenu();
				$item = $menu->getItem($itemid);
				$url = JRoute::_($item->link.'&Itemid='.$itemid, false);
			} else {
				$url = JURI::base(true);
			}
		} else {
			$juri = JFactory::getURI();
			$uri = $juri->toString();
			if ( JURI::isInternal($uri) && !empty($uri) ) {
				$url = $uri;
			} else {
				$url = JURI::base(true);
			}
		}
		return base64_encode($url);
	}

	function getType() {
		$user = & JFactory::getUser();
		return (!$user->get('guest')) ? 'logout' : 'login';
	}
}
in mod_login.xml installation file

Code: Select all

<param name="redirect" type="radio" default="0" label="Redirect" description="Redirect to home page or elsewhere as selected">
	<option value="0">No</option>
	<option value="1">Yes</option>
</param>
It is bad enough that I make users register but making them search the page they found after they login would be so much worse, so I am very glad I seem to have gotten rid of all redirections!

If any core members are reading this thread I would appreciate a comment about whether my code is utterly stupid or not, and whether it would be possible to do something to the same effect in the next version of Joomla.

Since apparently there are security issues involved I will just note that I do not recommend that anyone uses this code instead of the original core code in the lastest version and that anyone using this code does so at his/her own risk - certainly not at mine.

janeinpa
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 190
Joined: Thu Jan 10, 2008 1:43 pm

Re: No auto login redirect to same page anymore?

Post by janeinpa » Mon Feb 02, 2009 4:59 pm

I have a related problem, I think. When you create an account on my site the page redirects to the home page with no message to say welcome, etc. You don't know if you registered or not. If you fill in the contact form, the page redirects to a blank contact form, so you have no way of knowing the message was sent.

Is something corrupted in my joomla 1.5.9 files? What can I do to fix this -- I don't think I'm knowlegable enough to monkey around with the php files too much.

User avatar
dianascherff
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Nov 07, 2006 9:27 am
Location: Los Angeles, CA, USA

Re: No auto login redirect to same page anymore?

Post by dianascherff » Sat Feb 07, 2009 12:46 am

ewel wrote:I tested the below code, and it all seems to work.
Wow does it! I thought I was going to scream trying to get the login/logout page to redirect to somewhere useful because when I tried to use an "External Link" as my redirect page and set it back to index.php, it never worked. That would be an awesome awesome addition to the next Joomla! update so we don't have to make sure those files aren't overwritten...hint hint to whoever handles that. ;) I'm sure it was removed for a reason, but it was really very necessary step to keep the website simple for clients to navigate.

I too am having the problem with the registration not redirecting to a "successful registration" page or providing instructions on what they must do next (activate their account). This problem occurs even without the above modifications present. There also isn't a message if the user typed in their user ID or password incorrectly. My site just clears the login form which could be confused for problems with cookies. Any help/advise would be greatly appreciated.
Last edited by dianascherff on Sat Feb 07, 2009 1:11 am, edited 1 time in total.

ewel
Joomla! Guru
Joomla! Guru
Posts: 522
Joined: Mon Oct 01, 2007 11:35 am

Re: No auto login redirect to same page anymore?

Post by ewel » Sat Feb 07, 2009 1:05 am

Redirecting for security reasons is a little bit like forcing women to leave their hand bags at the entrance of the super market: very secure but also certain to turn people away. For myself I see no point in an empty but secure super market.

User avatar
mcsmom
Joomla! Exemplar
Joomla! Exemplar
Posts: 7897
Joined: Thu Aug 18, 2005 8:43 pm
Location: New York
Contact:

Re: No auto login redirect to same page anymore?

Post by mcsmom » Sat Feb 07, 2009 2:19 am

No one cares about security until their site has been hacked.
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.

ewel
Joomla! Guru
Joomla! Guru
Posts: 522
Joined: Mon Oct 01, 2007 11:35 am

Re: No auto login redirect to same page anymore?

Post by ewel » Sat Feb 07, 2009 7:50 am

I was one of them until I had a site cracked a good year ago. Now I use much of the security check list to make it easier for burglars to go next door. So I do appreciate the importance of security, but I also appreciate that a website is there for visitors. Security is one of the means to maintaining a website, and I am not prepared to see it as the purpose. The means should only detract from the purpose if there is no alternative - and speaking for myself I feel I have an alternative.

dlebreux
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Thu Jul 24, 2008 2:20 am

Re: No auto login redirect to same page anymore?

Post by dlebreux » Wed Feb 25, 2009 4:27 pm

Just wondering if there was any final word on this?
Will an update be available in the next version of J!?

I have the same issue. I set up an internal website for my company and there's protected content within the site. Users can't access documents (DOCman) as a guest but they can if they sign on.
But having them go back to the Home Page when they log on just sucks from a usability standpoint.

What makes it more of an issue for me is that I just introduced this board to the company and now the behavior has changed b/c I upgraded from 1.5.8 to 1.5.9.

I'm going to implement the code hack noted above and document it on my wiki for future updates but what a pain in the arse. I've been trying to avoid hacks at all cost just for this reason but I feel it's really important to be able to stay at the page you were on and NOT be redirected after logging in. (thanks for the code.....) ;)

User avatar
retush
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed Feb 25, 2009 10:45 pm
Location: Adriatic
Contact:

Re: No auto login redirect to same page anymore?

Post by retush » Wed Feb 25, 2009 10:48 pm

I have the same issue with redirects, my users have option to login to post comments with their username, login form placed conveniently under the article comment form, but after the login they're redirected to successful login page and they DO HATE to look again for the article in order to comment it.

I really think this should be fixed in core files, I'd hate to use insecure hacks.

Same redirect to previous page is available at this very forum - why disable it for the rest of us ?

ewel
Joomla! Guru
Joomla! Guru
Posts: 522
Joined: Mon Oct 01, 2007 11:35 am

Re: No auto login redirect to same page anymore?

Post by ewel » Thu Feb 26, 2009 5:03 am

retush wrote:I'd hate to use insecure hacks.
Quite right.
retush wrote:Same redirect to previous page is available at this very forum - why disable it for the rest of us ?
Very good point! Why is that? Is this site not up to date with security or is does it use a hack that we could all use?

How important does the core team think this issue is? Seeing the number of views of this thread it seems that it is an issue of interest to many users.

User avatar
mcsmom
Joomla! Exemplar
Joomla! Exemplar
Posts: 7897
Joined: Thu Aug 18, 2005 8:43 pm
Location: New York
Contact:

Re: No auto login redirect to same page anymore?

Post by mcsmom » Thu Feb 26, 2009 9:12 am

First of all, this forum is not Joomla it is phpbb.


@dlebreaux

There is no reason to redirect to the home page, use the redirect parameter to send users to an appropriate page.
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.

junsve
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Wed Mar 15, 2006 10:30 am
Location: Sweden

Re: No auto login redirect to same page anymore?

Post by junsve » Thu Feb 26, 2009 9:24 am

Hi.
We do not want any redirect.
We want the user to stay on the page he/she was at when logging in, also after logging in is complete.

How can that be achieved?

/Sven

ewel
Joomla! Guru
Joomla! Guru
Posts: 522
Joined: Mon Oct 01, 2007 11:35 am

Re: No auto login redirect to same page anymore?

Post by ewel » Thu Feb 26, 2009 11:31 am

Let me just stress this: when a visitor logs in it usually means that he found what he was looking for. Then in principle it is very counter-productive to send the visitor anywhere else than the page that inspired him to log in.

dlebreux
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Thu Jul 24, 2008 2:20 am

Re: No auto login redirect to same page anymore?

Post by dlebreux » Thu Feb 26, 2009 5:23 pm

mcsmom - the issue with your logic is here -
"use the redirect parameter to send users to an appropriate page".

The "appropriate page" is the page that they're on.
There is no setting in Joomla to say "current page".

Have you updated to 1.5.9 yet? If so you can test this yourself.

User avatar
retush
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed Feb 25, 2009 10:45 pm
Location: Adriatic
Contact:

Re: No auto login redirect to same page anymore?

Post by retush » Thu Feb 26, 2009 6:45 pm

mcsmom wrote:First of all, this forum is not Joomla it is phpbb.
OK, I am aware that this is PHPBB, but I was reffering to the user login functionality of this very forum, handling the login redirects in a manner we would like to reinstate back to Joomla.

User avatar
dextercowley
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3286
Joined: Sun Apr 06, 2008 4:44 am
Location: Seattle, WA, USA

Re: No auto login redirect to same page anymore?

Post by dextercowley » Sat Feb 28, 2009 1:08 am

Ok. I'm looking into this now. I should have an update in a day or so. Thanks for your patience. If we can figure out a way to get this behaviour back without breaking something else, it makes sense to do it. Thanks. Mark
Mark Dexter
"Well...how did I get here?"

User avatar
mcsmom
Joomla! Exemplar
Joomla! Exemplar
Posts: 7897
Joined: Thu Aug 18, 2005 8:43 pm
Location: New York
Contact:

Re: No auto login redirect to same page anymore?

Post by mcsmom » Sat Feb 28, 2009 12:41 pm

Mark, should this whole thread get moved to quality and testing? It doesn't really belong in this forum since it is really an issue report.
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16553
Joined: Thu Aug 18, 2005 7:13 am

Re: No auto login redirect to same page anymore?

Post by Tonie » Sat Feb 28, 2009 7:22 pm

Moved to 1.5 Q&T forum.

alphawavemedia
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon Mar 02, 2009 12:04 am

Re: No auto login redirect to same page anymore?

Post by alphawavemedia » Mon Mar 02, 2009 12:06 am

Thank you! You are an absolute star!


Locked

Return to “Joomla! 1.5 Bug Reporting”