XF 2.2 External redirect on login

kmecpp

kmecpp

Member
I have a subdomain that I'm trying to implement single sign on with XenForo. I want to give users a login link that will redirect them back to the subdomain but this doesn't seem to be possible with _xfRedirect which only accepts the current domain.

Is there any way to do this without modifying the XenForo code?
 
Figured out a solution that I like:

Just use _xfRedirect to redirect to a page on the current site like /redirect?site=myothersite and then have a controller for /redirect to map myothersite to the actual URL and redirecting with return $this->redirect(). This is also secure from the phishing attacks that open redirects are susceptible to.

Might be easier to do something like this with a route filter or page navigation entry or something. Not sure if they support external domains either
 
Last edited:
kmecpp said:
This is also secure from the phishing attacks that open redirects are susceptible to.
Click to expand...
That's pretty much why we apply the host matching restrictions.

If you're ok with your method, it's probably simpler than trying to override our redirection limits, as the bulk of the limits are from XF\App::getDynamicRedirect and that's not easily overridable from an add-on. You can override it in the specific controller needed, but that's probably more effort than what you're proposing.
 
Mike said:
That's pretty much why we apply the host matching restrictions.

If you're ok with your method, it's probably simpler than trying to override our redirection limits, as the bulk of the limits are from XF\App::getDynamicRedirect and that's not easily overridable from an add-on. You can override it in the specific controller needed, but that's probably more effort than what you're proposing.
Click to expand...

Hi Mike,

I have 2 sites on the same domain (home.somedomain and forums.somedomain)
Possible to allow users from home.somedomain to log in to forums.somedomain, then redirect them back to home.somedomain?

Is there a hostname whitelist that I can configure?
 
No, there isn't any concept of a redirect whitelist check -- the code is basically just checking that the redirect target has the same hostname of the page that has been loaded.

What you require would require custom development (likely to override this validation in the specific situation where you need it).
 
You must log in or register to reply here.

Similar threads

B
htaccess redirect on XF 2.1 breaks login
Replies
1
Views
708
bubblepop.net
B
Finalmarco
  • Question Question
XF 2.1 Redirect on logout / logout page
Replies
0
Views
465
Finalmarco
Finalmarco
L
  • Question Question
XF 2.1 Set invisible recaptcha on login page
Replies
9
Views
1K
Wave
W
Hugh Edwards
  • Question Question
XF 1.4 External Redirect / Porn Spamming?
Replies
5
Views
1K
xfrocks
xfrocks
R
  • Question Question
XenForo 2 redirect_to parameter on Login URL not working
Replies
5
Views
4K
doublespaces
doublespaces
Top Bottom