Redirect after login #722
Replies: 3 comments 5 replies
-
|
Hello. Thanks for the good suggestion. This feature is very useful for stores where the user adds the product to the shopping cart before entering and must enter. And ... As a temporary solution, do the following: shield/src/Filters/SessionAuth.php Line 78 in a04a544 change as follows: if (!url_is('login')) {
$session = session();
$session->setTempdata('beforeLogginUrl', current_url(), 40);
}
return redirect()->route('login');Then make the following changes in file Config/Auth.php: public function loginRedirect(): string
{
$session = session();
$url = $session->getTempdata('beforeLogginUrl') ?? setting('Auth.redirects')['login'];
return $this->getUrl($url);
}Obviously, applying the mentioned changes is not correct and principled, however, it is presented to solve the issue. I'm fine with adding this feature, however, wait for the team members to decide. |
Beta Was this translation helpful? Give feedback.
-
What's wrong with that? The only way to do this is as follows:
It seems not so bad with the above implementation. |
Beta Was this translation helpful? Give feedback.
-
I meant that no changes should be made in file src/Filters/SessionAuth.php because it is in folder vendor. If he wants to make a change, he can put file src/Filters/SessionAuth.php in path app/Filters and create a new filter by changing the namespace and the desired change and definition it in file app\Config\Filters.php.
@kenjis what do you think about this kind of implementation, actually using query data instead of session? e.g. |
Beta Was this translation helpful? Give feedback.
-
|
Okay, I got what you mean, it is better that you can do it without creating a custom filter. In this case, Shield is already using session, so there is no reason to actively use a query string. This is because the session value cannot be tampered with by the user, but the query string can be freely specified by the user (or an attacker by passive attack). Since the query string is user input, input validation is required. The worst case is to make a mistake in implementation and create an open redirector. One of the most common situations where open redirector vulnerabilities are found is in the post-login page transition on the login page. If an open redirector exists at the specified location on the page that is displayed after login, the attacker can mimic the login page on the attacker's website after the redirect and make it look like the login failed, prompting the user to log in again on a fake website prepared by the attacker and exploit user information, including passwords. I would just say that using sessions is safer and less risky, but, if properly implemented, using query strings is not a problem. |
Beta Was this translation helpful? Give feedback.
-
|
Yes it is better to store the redirect login in session instead of using query string. |
Beta Was this translation helpful? Give feedback.
-
any ideas how to do that without changes to shield/src/Filters/SessionAuth.php while it is a vendor? |
Beta Was this translation helpful? Give feedback.
-
|
If you can send PR. |
Beta Was this translation helpful? Give feedback.
-
|
@emreozkartal the feature has been added in PR #793 |
Beta Was this translation helpful? Give feedback.
-
Hello everyone,
I hope you're all doing well. I have a suggestion for CI4 Shield that I think would be a useful feature to have.
Currently, users are redirected to the default page after logging in, which can be inconvenient if they were trying to access a specific page before logging in. With this new feature, users can be redirected to the page they were trying to access before logging in, making the user experience more seamless.
If anyone knows of any existing code that could be used to implement this feature, please let me know. Otherwise, I think it would be a great addition to CI4 Shield.
Thank you for your time and consideration.
Beta Was this translation helpful? Give feedback.
All reactions