Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

SSO Endpoint & Back Button

Hello everyone,

I use the SSO Entry Point (with jsconnect) to link to my vanilla forum from my web application. Everything works fine but when the user uses the browser "Back Button" he gets redirected to the SSO Entry Point. (which is technically right of course!)

Is there a way to check the $_SERVER['HTTP_REFERER'] when the user comes to /sso? I would like to check if the user comes from the forum and redirect him to the web application and not loop him back into the forum.

Thanks, Cheers



  • Options
    LincLinc Detroit Admin
    edited December 2016

    No, and that's actually possibly unsafe to implement. It's possible to spoof $_SERVER['HTTP_REFERER'], and if you don't validate the target of the redirect it could be done maliciously. See the safeRedirect() function in Vanilla if you decide to move forward with this on your site.

    Personally, I recommend leaving this alone. If there is clear navigation on the forum back to the app, folks can get back easily. If they use the back button, they'll figure it out pretty quick, and our experience suggests that's a big "if".

  • Options

    Hi Linc,

    alright thanks for this good and very quick answer!


  • Options
    LincLinc Detroit Admin


Sign In or Register to comment.