authenticator icon indicating copy to clipboard operation
authenticator copied to clipboard
verified publisher icon bueltge

Vor dem Redirect Prüfen, auf aktuelle URL prüfen

Open dnaber-de opened this issue 13 years ago • 9 comments

Prüfen, ob die aktuelle Seite nicht schon die Login-Page ist, um Loops zu vermeiden. Der check auf $pagenow läuft bei Custom Login-Pages ins leere.

dnaber-de avatar Feb 05 '13 14:02 dnaber-de

@dnaber-de Welche Prüfung meinst du, direkt in der Methode 'redirect()`?

bueltge avatar Jan 09 '14 18:01 bueltge

Es gab in Zusammenspiel mit gehookten Login-Pages (nicht wp-login.php) Probleme. Es kam zu einer Schleife. Das wurde aber schon behoben, ob seitens Authenticator oder projektbezogen weiß ich gerade nicht. Ich schau mir das noch mal an.

dnaber-de avatar Jan 13 '14 12:01 dnaber-de

Danke dir! Ansonsten schließen wir den Issue und können ggf. wp.org updaten, was notwendig wäre, wegen eines Bugs.

bueltge avatar Jan 13 '14 12:01 bueltge

@dnaber-de Kannst du das bei Gelegenheit prüfen, dann wäre 1.2 fertig.

bueltge avatar Apr 17 '14 09:04 bueltge

I suggest to use English as language for issues. I think the problem still persists, theoretically. We check for wp-login.php as $GLOBALS[ 'pagenow' ] but we then redirect using wp_login_url(). If someone hooks into login_url, the comparison of »pagenow« becomes invalid and with this, we got an infinite redirection loop.

dnaber-de avatar Aug 31 '14 12:08 dnaber-de

I've provided a possible fix for this problem in cd8fbe4 on the branch fix_13 but I don't have time to make a proper validation at the moment.

dnaber-de avatar Aug 31 '14 13:08 dnaber-de

Thanks for your time and effort. The language for issues is all the same for me, but if we discus without other guys and dolls, then is German much easier for me. I will also say thank you for the time. I understand much more as other people's. Currently I'm also only online via mobile, the fritz box was broken.

bueltge avatar Aug 31 '14 18:08 bueltge

I have updated the prev. fix for this issue (17acc202035b6cfe4a1ceda4b7cc520162a108f4). In my case the prev. fix doesnt work if i had a custom login page and add a filter for my login_url.

Example:

page-login.php - Added a blank page with url /login/

<?php
...
wp_login_form( $args );
...

functions.php

...
add_filter( 'login_url', 'my_login_page', 10, 2 );
function my_login_page( $login_url, $redirect ) {
    return home_url( '/login/?redirect_to=' . $redirect );
}

Testcases:

  • Request: http://inspyde-auth.local will be redirected to http://inspyde-auth.local/login/?redirect_to=/login/
  • Request http://inspyde-auth.local/login/ will be redirected to http://inspyde-auth.local/login/ (nothing happens)
  • Request http://inspyde-auth.local/beispiel-seite will be redirected to http://inspyde-auth.local/login/?redirect_to=/beispiel-seite/

deantomasevic avatar Jul 26 '15 19:07 deantomasevic

About 17acc202: What happens if you request a sub-page with the permalink /some-page/login/? I assume that you won't be redirected to the login page as of the strpos() comparison.

Furthermore I think we should compare the complete login URL (including the host) to respect setups where logins might be combined on one site in a multisite.

dnaber-de avatar Aug 20 '15 10:08 dnaber-de