XF 2.2 External redirect on login

kmecpp

Member
I have a subdomain that I'm trying to implement single sign on with XenForo. I want to give users a login link that will redirect them back to the subdomain but this doesn't seem to be possible with _xfRedirect which only accepts the current domain.

Is there any way to do this without modifying the XenForo code?
 

kmecpp

Member
Figured out a solution that I like:

Just use _xfRedirect to redirect to a page on the current site like /redirect?site=myothersite and then have a controller for /redirect to map myothersite to the actual URL and redirecting with return $this->redirect(). This is also secure from the phishing attacks that open redirects are susceptible to.

Might be easier to do something like this with a route filter or page navigation entry or something. Not sure if they support external domains either
 
Last edited:

Mike

XenForo developer
Staff member
This is also secure from the phishing attacks that open redirects are susceptible to.
That's pretty much why we apply the host matching restrictions.

If you're ok with your method, it's probably simpler than trying to override our redirection limits, as the bulk of the limits are from XF\App::getDynamicRedirect and that's not easily overridable from an add-on. You can override it in the specific controller needed, but that's probably more effort than what you're proposing.
 

hoks

Member
That's pretty much why we apply the host matching restrictions.

If you're ok with your method, it's probably simpler than trying to override our redirection limits, as the bulk of the limits are from XF\App::getDynamicRedirect and that's not easily overridable from an add-on. You can override it in the specific controller needed, but that's probably more effort than what you're proposing.

Hi Mike,

I have 2 sites on the same domain (home.somedomain and forums.somedomain)
Possible to allow users from home.somedomain to log in to forums.somedomain, then redirect them back to home.somedomain?

Is there a hostname whitelist that I can configure?
 

Mike

XenForo developer
Staff member
No, there isn't any concept of a redirect whitelist check -- the code is basically just checking that the redirect target has the same hostname of the page that has been loaded.

What you require would require custom development (likely to override this validation in the specific situation where you need it).
 
Top