Hi, first I would like to congratulate you for all the hacks you're doing. They all reallly helped me
I have a tiny problem with the auto-login hack. Let's take the following example about userX :
- userX has activated the auto-login function for siteA
- It works perfectly : when he opens his browser and go to siteA, he is automatically loged in
- userX now has his browser closed
- He receives a notification by email : a new message has been posted in the forums of siteA
- He clicks on the link provided in the post.
- His browser opens, and, because of the excellent auto-login hack, he automatically logs in
- However, he is redirected on the home page and not on the forum post he was hoping for.
A lot of my users are complaining because they don't understand what is happeninh lol
I've looked at the code and found this :
Quote:
// redirect to XOOPS_URL/ when query string exists (anti-CSRF)
if( ! empty( $_SERVER['QUERY_STRING'] ) ) {
redirect_header( XOOPS_URL . '/' , 0 , _AUTOMATIC_LOGIN ) ;
exit ;
}
It seems as it is on purpose that the user is redirected to the home page, because it protects from a certain attack ?
Is there a way the user could be redirected to the page he was asking ?
Thanks for your help !
CHeers !
hi marcan.
I'm sorry that my answer is too late.
I know the redirection is not so convinience.
If there are no CSRF vulnerable code in core and modules, the 4 lines should be commeted-out.
But I have to say the core of 2.0.9.2 is not secure enough against CSRF attack.
But!
I'm glad to hear core team adopt token system in 2.0.10 and after.
Thus, the redirection will be eliminated in autologin-hack for 2.0.10 and after
Quote:
I'm sorry that my answer is too late.
No problem ! We are all busy !
Quote:
Thus, the redirection will be eliminated in autologin-hack for 2.0.10 and after
Marvelous !
Thanks !
With the lastest version of autologin-hack, you are not going to redirect to the top page.
Of course, it is safe against CSRF even with XOOPS <= 2.0.9.3
Double-redirection allows it.
Perhaps, this tecnique is the same as hotmail or the other major webmail.