- Forums
- Support and Presales
- Professional Members Support
- login redirect - cb checks against livesite
login redirect - cb checks against livesite
- mattfaulds
- OFFLINE
-
New Member
- Posts: 17
- Thanks: 0
- Karma: 1
11 years 6 months ago - 11 years 6 months ago #211562
by mattfaulds
login redirect - cb checks against livesite was created by mattfaulds
I meant to put this in the CB -> general discussion area but became frustrated when the code post filter wouldn't allow any posts and gave no feedback to explain why. I had no idea why the post would not post!
CB 1.8.1, Joomla 1.5.26
This long base 64 login redirect thread tried to solve the CB login redirect problem many users have. Reference to this thread: www.joomlapolis.com/forum/112-cb-122-general-discussion/126563-base64-login-redirect-not-working?limit=6&start=30
I think I have found one situation in which this is a real problem.
** Edited - this is incorrect, read later in the thread **
If a site has SSL for admin only, JURI::base() returns an https:// address. This means the checking on the return value in the login function may fail. See com_comprofiler/comprofiler.php around line 1246.
The $return variable may be populated with a http:// address but $_CB_framework->getCfg( 'live_site' ) may be populated with a https:// address. In this case, the validation fails, $return is set to '' and the user is always returned to the homepage whenever they login.
Basically, there needs to be a check to see if $_CB_framework->getCfg( 'live_site' ) should have http or https which is how I have chosen to solve this.
CB 1.8.1, Joomla 1.5.26
This long base 64 login redirect thread tried to solve the CB login redirect problem many users have. Reference to this thread: www.joomlapolis.com/forum/112-cb-122-general-discussion/126563-base64-login-redirect-not-working?limit=6&start=30
I think I have found one situation in which this is a real problem.
** Edited - this is incorrect, read later in the thread **
If a site has SSL for admin only, JURI::base() returns an https:// address. This means the checking on the return value in the login function may fail. See com_comprofiler/comprofiler.php around line 1246.
The $return variable may be populated with a http:// address but $_CB_framework->getCfg( 'live_site' ) may be populated with a https:// address. In this case, the validation fails, $return is set to '' and the user is always returned to the homepage whenever they login.
Basically, there needs to be a check to see if $_CB_framework->getCfg( 'live_site' ) should have http or https which is how I have chosen to solve this.
Last edit: 11 years 6 months ago by mattfaulds.
Please Log in to join the conversation.
krileon
Team Member- ONLINE
- Posts: 68549
- Thanks: 9094
- Karma: 1434
11 years 6 months ago - 11 years 6 months ago #211807
by krileon
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Replied by krileon on topic Re: login redirect - cb checks against livesite
We don't check live_site, it's directly pulled from Joomla using Joomla API. You are supposed to leave it blank within configuration.php unless you absolutely know what you're doing and what it's used for. If blank as it should Joomla will always return the proper scheme (http or https, etc.. as needed). Extensions instructing you to configure it should be ignored.
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Last edit: 11 years 6 months ago by krileon.
Please Log in to join the conversation.
- mattfaulds
- OFFLINE
-
New Member
- Posts: 17
- Thanks: 0
- Karma: 1
11 years 6 months ago - 11 years 6 months ago #211837
by mattfaulds
Replied by mattfaulds on topic Re: login redirect - cb checks against livesite
You have misunderstood and jumped to a conclusion. I had also not pinned the problem down, which I have now.
I do not use live_site. In the txt attachment earlier I reference the code in comprofiler.php where CB calls the CB framework ->getCfg('live_site'). This uses the Joomla API, yes, I know, hence the discussion of JURI::base(). I carried on the naming that CB has used: 'live_site'.
In fact getCfg('live_site') (the Joomla API) is generating the correct https:// address but CB isn't checking it properly. Let me explain further.
I use mod_cblogin to login via https:// but then, in general, redirect back to http:// as the whole site doesn't need to be encrypted. This means that a the time the return address is checked, CB is logging the user in via https://. Thus the return address can be http:// but CB_framework->getCfg('live_site') can be https://.
CB doesn't check this when testing for the redirect, it just test the redirect address against CB_framework->getCfg('live_site').
So, without my modification, if I login from a page via https:// I get redirected to the homepage and if I echo out the return value and CB_framework->getCfg('live_site') they are as below:
if I login from a page via http:// I get properly redirected to the originating page and if I echo out the return value and CB_framework->getCfg('live_site') they are as below:
Now do you see?
I do not use live_site. In the txt attachment earlier I reference the code in comprofiler.php where CB calls the CB framework ->getCfg('live_site'). This uses the Joomla API, yes, I know, hence the discussion of JURI::base(). I carried on the naming that CB has used: 'live_site'.
In fact getCfg('live_site') (the Joomla API) is generating the correct https:// address but CB isn't checking it properly. Let me explain further.
I use mod_cblogin to login via https:// but then, in general, redirect back to http:// as the whole site doesn't need to be encrypted. This means that a the time the return address is checked, CB is logging the user in via https://. Thus the return address can be http:// but CB_framework->getCfg('live_site') can be https://.
CB doesn't check this when testing for the redirect, it just test the redirect address against CB_framework->getCfg('live_site').
So, without my modification, if I login from a page via https:// I get redirected to the homepage and if I echo out the return value and CB_framework->getCfg('live_site') they are as below:
echo CB $live_site: https ://www.mysite.com
echo return: http ://www.mysite.com/news/latest
if I login from a page via http:// I get properly redirected to the originating page and if I echo out the return value and CB_framework->getCfg('live_site') they are as below:
echo CB $live_site: http ://www.mysite.com
echo return: http ://www.mysite.com/news/latest
Now do you see?
Last edit: 11 years 6 months ago by mattfaulds.
Please Log in to join the conversation.
- krileon
- Team Member
- ONLINE
- Posts: 68549
- Thanks: 9094
- Karma: 1434
11 years 6 months ago #211875
by krileon
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Replied by krileon on topic Re: login redirect - cb checks against livesite
Login from HTTPS to HTTP doesn't work, this is intentionally not fixed. It's considered a security issue doing a switch back. Once in HTTPS it's best to stay in HTTPS. Switching back often causes browsers to complain.
I've just tested login via HTTPS and it seams to be working perfectly fine. I've also inspected the URLs in the FORM before and after (logged out) and is displaying fine. Sorry, I'm not sure what your issue is exactly and it's entirely possible you've 3rd party SEF or an htaccess SEF rule that's rewriting the URL.
I've just tested login via HTTPS and it seams to be working perfectly fine. I've also inspected the URLs in the FORM before and after (logged out) and is displaying fine. Sorry, I'm not sure what your issue is exactly and it's entirely possible you've 3rd party SEF or an htaccess SEF rule that's rewriting the URL.
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Please Log in to join the conversation.
- mattfaulds
- OFFLINE
-
New Member
- Posts: 17
- Thanks: 0
- Karma: 1
11 years 6 months ago - 11 years 6 months ago #211881
by mattfaulds
Replied by mattfaulds on topic Re: login redirect - cb checks against livesite
CB 1.8.1, Joomla 1.5.26
No 3rd party SEF.
mod_cblogin for all logins
Login occurs perfectly but setting in mod_cblogin has several options for https:
HTTPS (encrypted) login, register and lost password
Options: same as page (default)
use https for posting then same
use https (encrypted) for login and after login
I use option 2 as I do not need the entire site https.
Case (unmodified CB or Joomla):
user browses to: http ://www.mysite.com/news/latest
user login via mod_cblogin
mod_cblogin sends post to https ://www.mysite.com/index.php?option=com_comprofiler&task=login
user is logged in and then redirected to...
https ://www.mysite.com
Case (modified CB):
user browses to: http ://www.mysite.com/news/latest
user login via mod_cblogin
mod_cblogin sends post to https ://www.mysite.com/index.php?option=com_comprofiler&task=login
user is logged in and then redirected to...
http ://www.mysite.com/news/latest
No 3rd party SEF.
mod_cblogin for all logins
Login occurs perfectly but setting in mod_cblogin has several options for https:
HTTPS (encrypted) login, register and lost password
Options: same as page (default)
use https for posting then same
use https (encrypted) for login and after login
I use option 2 as I do not need the entire site https.
Case (unmodified CB or Joomla):
user browses to: http ://www.mysite.com/news/latest
user login via mod_cblogin
mod_cblogin sends post to https ://www.mysite.com/index.php?option=com_comprofiler&task=login
user is logged in and then redirected to...
https ://www.mysite.com
Case (modified CB):
user browses to: http ://www.mysite.com/news/latest
user login via mod_cblogin
mod_cblogin sends post to https ://www.mysite.com/index.php?option=com_comprofiler&task=login
user is logged in and then redirected to...
http ://www.mysite.com/news/latest
Last edit: 11 years 6 months ago by mattfaulds.
Please Log in to join the conversation.
- krileon
- Team Member
- ONLINE
- Posts: 68549
- Thanks: 9094
- Karma: 1434
11 years 6 months ago - 11 years 6 months ago #211887
by krileon
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Replied by krileon on topic Re: login redirect - cb checks against livesite
"use https for posting then same" intentionally does not work. It's a bug we opted to simply not fix as it'd cause too many potential issues. HTTPS switch-over back to HTTP is too erroneous and often throws browser warnings. Especially in IE, although may not be the case anymore at the time we discussed this. With that said you're welcome to make changes to the module as needed. We'll need to discuss internally if we want to fix this (have already discussed not to previously) or remove the option to avoid confusion (we kept it to prevent the module parameters from potentially breaking on existing sites).
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Last edit: 11 years 6 months ago by krileon.
Please Log in to join the conversation.
Moderators: beat, nant, krileon
- Forums
- Support and Presales
- Professional Members Support
- login redirect - cb checks against livesite
Time to create page: 0.370 seconds
-
You are here:
- Home
- Forums
- Support and Presales
- Professional Members Support
- login redirect - cb checks against livesite