Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Entry Signin Target - Allow Parameters to Target

Hello,

I'm currently working with Vanilla 2.1.11. My forums are in an embedded state. I created my own SSO solution for my website, however I need to allow an additional parameter in the signin redirect. This is what a link would look like:

http://www.example.com/forums#/entry/signin?Target=authenticate.php?redirect=site2.example.com

However, Vanilla strips away the '?redirect=site2.example.com' portion. Attempting to signin will only redirect you to authenticate.php without the argument and parameter values. When I check the page source of the URL example above, you can see the following:

<input type="hidden" id="Form_Target" name="Target" value="authenticate.php" />

I've searched Google and on the forums here but cannot find an answer on how I can allow my redirect argument in the Form_Target value. Any help would greatly be appreciated!

Best Answer

Answers

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    I'm currently working with Vanilla 2.1.11

    Stop now and update ASAP !!!! you are seriously vulnerable and exposing your users.

    For redirecting after sign out All you need is to add the url to the config.php try this..

        $Configuration['Garden']['Authenticator']['SignOutUrl'] = 'http://www.yoursite.com/forum/entry/signout/{Session_TransientKey}?Target=http://url to be redireted to/';
    
        $Configuration['Garden']['Authenticator']['SignInUrl'] = 'http://www.yoursite.com/forum/entry/signin/{Session_TransientKey}?Target=http://url to be redireted to/';
    
  • g> @vrijvlinder said:

    I'm currently working with Vanilla 2.1.11

    Stop now and update ASAP !!!! you are seriously vulnerable and exposing your users.

    For redirecting after sign out All you need is to add the url to the config.php try this..

        $Configuration['Garden']['Authenticator']['SignOutUrl'] = 'http://www.yoursite.com/forum/entry/signout/{Session_TransientKey}?Target=http://url to be redireted to/';
        
        $Configuration['Garden']['Authenticator']['SignInUrl'] = 'http://www.yoursite.com/forum/entry/signin/{Session_TransientKey}?Target=http://url to be redireted to/';
    

    Hey, thanks for the info - I'll look into updating. I need to make sure nothing breaks.

    In regards to changing the config options, there is a problem -

    Not always will I want there to be a URL to be redirected to. Also, there are a number of websites connected which use vanilla to login. For example:

    A user may be on site2 - I want their login link to look like this:
    http://www.example.com/forums#/entry/signin?Target=authenticate.php?redirect=site2.example.com

    A user may be on site 34 - Link should look like this:

    http://www.example.com/forums#/entry/signin?Target=authenticate.php?redirect=site34.example.com

    A user may just be on the regualr site, so the link would look like this (notice no Target added to the link):

    http://www.example.com/forums#/entry/signin

    On each individual website, the login links properly direct to the links mentioned above, so the user logging in on Site 2 is directed to Target=authenticate.php?redirect=site2.example.com while user on site 34 goes to ?Target=authenticate.php?redirect=site34.example.com.

    So, what I need is to allow the information following the Target parameter to be unique and not hard coded as you mentioned. I can easily add any direct file link, such as Target=authenticate.php, Target=sso.php, etc. but when I add the additional redirect argument, that is removed and only the base file name is used for the Target.

    Hopefully this makes sense. Thanks for your reply =)

  • @R_J said:
    I have a nginx setup and your example site1.example.com/entry/signin?Target=authenticate.php?redirect=site2.example.com redirects me to site1.example.com/authenticate.php?redirect=site2.example.com.

    But I'm using Vanilla 2.3 while you are using 2.1, which might be the problem.

    Another theoretical problem might be that you use the question mark two times. It looks really strange to me, but I must admit I do not know enough about valid characters/constructs in an url.

    Do you have the possibility to do the authentication through an index controller? If you move your authentication.php to /authentication/index.php and use a rewrite rule, so that you would be able to call it like that: site1.example.com/entry/signin?Target=authenticate/site2.example.com.

    Just an idea...

    But really: upgrade to 2.3.1 and see if you still have that problem!

    I decided to remove the forums from an embedded state and now everything works! It's odd it would not work in an embedded state. Thanks for your help =)

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    Thanks for getting back to say you had solved it.

    Just to reiterate - you should update to 2.3.1 as a matter of urgency.

  • @whu606 said:
    Thanks for getting back to say you had solved it.

    Just to reiterate - you should update to 2.3.1 as a matter of urgency.

    That's the plan! I'm currently backing up everything and taking the site down for maintenance. Hopefully it should be a quick process.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    There's an extra step for upgrading from 2.1 - check the README that comes with 2.3

  • @whu606 said:
    There's an extra step for upgrading from 2.1 - check the README that comes with 2.3

    Hey, question -

    I've updated, and mostly everything works - but now I have a problem.

    In my config, I have the following setup:

    $Configuration['Garden']['Authenticator']['SignInUrl'] = '/entry/signin?Target=sso.php';
    $Configuration['Garden']['Authenticator']['RegisterUrl'] = '/entry/register?Target=sso.php';
    

    However, the signin and register links all point towards Target=categories. I've been looking everywhere to figure out why this is happening. Do you have any idea why?

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    Sorry no, but maybe @R_J will...

  • @whu606 said:
    Sorry no, but maybe @R_J will...

    Thanks! Just in case someone else has the same problem, I did fix it but I had to hack a core file:

    /applications/dashboard/views/modules/

    I had to edit the guest.php file - The new code looks like this:

        $signInUrl = SignInUrl($this->_Sender->SelfUrl);
    
        if ($signInUrl) {
            echo '<div class="P">';
    
            echo anchor(t('Sign In'), SignInUrl('http://www.example.com/community/sso.php'), 'Button Primary'.(SignInPopup() ? ' SignInPopup' : ''), array('rel' => 'nofollow'));
            $Url = RegisterUrl('http://www.example.com/community/sso.php');
            if (!empty($Url))
                echo ' '.anchor(t('Register', t('Apply for Membership', 'Register')), $Url, 'Button ApplyButton', array('rel' => 'nofollow'));
    
            echo '</div>';
        }
    

    I basically had to hard code in the links to the sso.php file. For logged in users, logging on does what I require for the moment. Hopefully this helps anyone else that may have the same issue I had. You shouldn't edit core files, but it seems I had to in my case.

  • R_JR_J Ex-Fanboy Munich Admin

    Yes, you never should do, but sometimes you have to.

    In this case you would have been able to hide that "wrong" sign in button with .GuestBox .P {display: none}.
    The next line from the guest module view above is <?php $this->fireEvent('AfterSignInButton'); ?> and you could have used that to insert the altered code.

    Nope, that is not very elegant, I confess.

    You can create your own theme with which you can override the view.

    Or maybe you could overwrite the function signInUrl.

Sign In or Register to comment.