Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable URL Recovery from logout #948

Merged
merged 5 commits into from
May 5, 2024
Merged

Conversation

ssteeltm
Copy link
Contributor

to acomplish the discussed in https://forum.itflow.org/d/688-session-expire-should-back-with-current-url

When yout get logged out from session expire, it will save last url tried, to when logging again redirect to it.

Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello & Welcome! :)

Thanks for taking the time to help improve ITFlow. We're excited to review your contributions - we'll review this PR as soon as we can!

Whilst you're waiting, please feel free to check out the forum.

Just so you know, all contributions to ITFlow are licensed under the GNU GPL. By contributing you grant us a perpetual & irrevocable license to include your work in ITFlow.

@wrongecho
Copy link
Collaborator

Hey there,

Thanks for the PR!
Been super busy so I haven't had a chance to try this out yet, but I like the idea!

My only issue is that if you put an external link in the URL parameter, it looks like you could potentially divert people to third party websites. This is known as an Open Redirect vulnerability and is generally used in phishing campaigns.

https://portswigger.net/kb/issues/00500100_open-redirection-reflected

https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

I'm sure there's a way to mitigate but would love to hear your thoughts?

@ssteeltm
Copy link
Contributor Author

ssteeltm commented May 3, 2024

I see now the potential issue.
What if, we just save the uri, since domain we can get from config, and also, we could hash somehow the query parameter

fixed domain url from config to prevent open redirect issue and encoded uri
@wrongecho
Copy link
Collaborator

This looks good to me!

The only thing I could think may be an issue is setting the location based off the $_SERVER["REQUEST_SCHEME"]. I know some will be running ITFlow HTTP (as far as the server is concerned) but then using a reverse proxy/tunnel for the HTTPS. What do you think about defaulting that to HTTPS or // (which should default to whatever the users browser is connecting with)?

(Nitpick: would be fab if you could add a space after the IF statement and include braces for both - it's our standard, even if there's only one line within the statement).

Either way @johnnyq I'm happy to get this merged for now and fix forward.

@ssteeltm
Copy link
Contributor Author

ssteeltm commented May 4, 2024

Hello, no problem, I'll change if standard.
About http scheme, I use haproxy pointing to itflow and didnt have issues wirh it.

Copy link

sonarqubecloud bot commented May 4, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@johnnyq
Copy link
Collaborator

johnnyq commented May 5, 2024

Looks great to me @wrongecho and thank you for the patch @ssteeltm merging in

@johnnyq johnnyq merged commit aca1a13 into itflow-org:master May 5, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants