Please upgrade here. These earlier versions are no longer being updated and have security issues.

SSO Endpoint & Back Button

Hello everyone,

I use the SSO Entry Point (with jsconnect) to link to my vanilla forum from my web application. Everything works fine but when the user uses the browser "Back Button" he gets redirected to the SSO Entry Point. (which is technically right of course!)

Is there a way to check the $_SERVER['HTTP_REFERER'] when the user comes to /sso? I would like to check if the user comes from the forum and redirect him to the web application and not loop him back into the forum.

Thanks, Cheers
Hannes

Tagged:

Comments

  • LincLinc Director of Development Detroit Vanilla Staff
    edited December 2016

    No, and that's actually possibly unsafe to implement. It's possible to spoof $_SERVER['HTTP_REFERER'], and if you don't validate the target of the redirect it could be done maliciously. See the safeRedirect() function in Vanilla if you decide to move forward with this on your site.

    Personally, I recommend leaving this alone. If there is clear navigation on the forum back to the app, folks can get back easily. If they use the back button, they'll figure it out pretty quick, and our experience suggests that's a big "if".

    Hannes
  • Hi Linc,

    alright thanks for this good and very quick answer!

    Cheers
    Hannes

  • LincLinc Director of Development Detroit Vanilla Staff

    Cheers!

Sign In or Register to comment.