Users running a non-download version of Vanilla (pulled from github), on branch release/2019.016 or master from the last 2 weeks should upgrade to release/2019.017 or latest master for security reasons. Downloaded official open sources releases are not affected.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

SSO Endpoint & Back Button

Hello everyone,

I use the SSO Entry Point (with jsconnect) to link to my vanilla forum from my web application. Everything works fine but when the user uses the browser "Back Button" he gets redirected to the SSO Entry Point. (which is technically right of course!)

Is there a way to check the $_SERVER['HTTP_REFERER'] when the user comes to /sso? I would like to check if the user comes from the forum and redirect him to the web application and not loop him back into the forum.

Thanks, Cheers



  • LincLinc Detroit Admin
    edited December 2016

    No, and that's actually possibly unsafe to implement. It's possible to spoof $_SERVER['HTTP_REFERER'], and if you don't validate the target of the redirect it could be done maliciously. See the safeRedirect() function in Vanilla if you decide to move forward with this on your site.

    Personally, I recommend leaving this alone. If there is clear navigation on the forum back to the app, folks can get back easily. If they use the back button, they'll figure it out pretty quick, and our experience suggests that's a big "if".

  • Hi Linc,

    alright thanks for this good and very quick answer!


  • LincLinc Detroit Admin


Sign In or Register to comment.