2
\$\begingroup\$

I wish to redirect users to the login page if they attempt to visit a page which requires them to be logged in. After logging in, however, I want to redirect the user back to their original destination. I've written a "redirect.php" script which is to be included on all such pages:

<?php
require "session.php";
if(!$user){
 header("Location: login.php?dest=".urlencode($_SERVER["REQUEST_URI"]));
 die();
}
?>

Then on my login page I have the following:

<?php 
$dest = "./";
if(isset($_GET["dest"])){
 $dest = $_GET["dest"];
}
?>

with the following JavaScript:

var URL = "<?php echo $dest; ?>";
//...
//upon successful login (via AJAX):
window.location.replace(URL);

Everything here works as intended but where does this stand from a security standpoint?

One vulnerability that comes to mind is something like

http://mysite.com/login.php?dest=http://phishingsite.com

How might I best prevent something like this? Would regex be suitable here?

Are there any other security concerns with this type of thing? Perhaps a standard way of doing this? Or better yet, a method which does not use GET variables at all?

Malachi
29k11 gold badges86 silver badges188 bronze badges
asked Dec 18, 2014 at 14:21
\$\endgroup\$
5
  • \$\begingroup\$ Anything speaking against using a session for this rather than an URL parameter? \$\endgroup\$ Commented Dec 18, 2014 at 15:09
  • \$\begingroup\$ No, not at all. I hadn't even considered the use of sessions prior to the user actually logging in. Care to expand? I see this approach requiring an additional page request unless maybe dedicating another page to the redirection... \$\endgroup\$ Commented Dec 18, 2014 at 15:32
  • \$\begingroup\$ I would consider using sessions as @Mario pointed out. Additionally, to stop against phishing, you could check that the domain is correct before redirecting \$\endgroup\$ Commented Dec 18, 2014 at 15:43
  • \$\begingroup\$ Are there any downsides to using sessions? Because I'm having a hard time coming up with any reasons to stick with GET besides the fact that I've seen them used before. \$\endgroup\$ Commented Dec 18, 2014 at 15:52
  • \$\begingroup\$ The one main advantage is you can send the redirect url to anyone, I do this quite often when telling clients where to go once logging in to their CMS - so it redirects them directly to the page they need to be on - see my answer \$\endgroup\$ Commented Dec 18, 2014 at 15:55

1 Answer 1

5
\$\begingroup\$

The way you're doing it has advantages over a session based redirect because you have the ability to link people directly to that login with redirect URL.

The disadvantage is phishing as you pointed out.

http://www.mysite.com/login.php?dest=http://mysite.phishing.com/

The way you're doing this, using $_SERVER['REQUEST_URI'] means you expect the $_GET['dest'] to only include a path, not a domain.

So you could add a check in the login page where it sets the $dest

$dest = "./";
if(isset($_GET["dest"]))
{
 $parts = parse_url( $_GET['dest'] );
 // if there is no `host` key set in the parse_url array, then its an internal path
 // so set the new $dest
 if( !isset( $parts['host'] ) )
 {
 $dest = $_GET["dest"];
 }
}
answered Dec 18, 2014 at 15:54
\$\endgroup\$

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.