Login redirect issues

  • Resolved willburholt

    (@willburholt)


    6 years, 10 months ago

    The plugin doesn’t allow for the change of the “Login redirect URL” functionality.

    Whenever I set it to a custom URL and click the ‘save changes’ button, it puts in the original url of my website’s home page.

Viewing 5 replies - 1 through 5 (of 5 total)

  • Hi again @willburholt,

    Are you trying to set that somewhere outside of your site? If so, that’s not something we support for security reasons. You should see a “The ‘Login redirect URL’ cannot point to a foreign page.” error message when you try to do that.

    Thread Starter willburholt

    (@willburholt)

    No error message has been shown. It seems like the plugin’s messaging system has lots of issues in general for displaying errors.

    And yes, I have been trying to point it somewhere outside of my main site because I do use a multisite with sub domains. You should allow the plugin user to make the choice on setting to an outside URL but with the notification that you consider it to be ‘insecure.’

    • This reply was modified 6 years, 10 months ago by willburholt.
    • This reply was modified 6 years, 10 months ago by willburholt.

    plugin’s messaging system

    There isn’t really a general “messaging system” in place. Every pathway and action has it’s own set of actions someone can take and responses the software can give. In this case, the error should inform you of this case. When I try to save a URL with a different host, I get this:

    https://www.dropbox.com/s/186kzm84ry2i2wn/Screenshot%202018-05-02%2014.31.01.png?dl=0

    I’ll confer internally about how secure/insecure this is and whether we want to allow that. In general, we want to default towards “more secure” instead of “more flexible” but there is a lot of gray area there.

    Thread Starter willburholt

    (@willburholt)

    I have been referring to the many bugs that these notices have had in the past ‘in general’ and not pointing to how it functions. And to which most of these bugs have seemed to have been fixed recently (including the login redirect notice).

    And since Auth0 seems to be inclined to having ‘state-of-the-art’ security, I’ll seem to have to implement this custom feature on my own.

    • This reply was modified 6 years, 10 months ago by willburholt.

    I guess the question then is … if you try and save that, are you seeing the message there or not? If you’re not seeing that then I’ll definitely take a look.

    We’re less concerned with “state-of-the-art,” more so with just getting it right. The issue here might seem small but redirects after authentication need to be very trustworthy. If I log into a site through, say, Google and I land on a page, I’m going to assume I’m in the right place and not be skeptical. That could be a problem if that link is intercepted or altered in-flight.

    All that said, at the very least, we should allow redirects within the same network, that, to me, doesn’t compromise anything. I added this as an issue and will address for the next release after the upcoming one:

    https://github.com/auth0/wp-auth0/issues/459

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Login redirect issues’ is closed to new replies.