Sign in Register
Go to solution
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • manuelpedrera 18 posts 38 karma points
    Dec 16, 2010 @ 10:45
    manuelpedrera
    0

    Redir after login @ backoffice

    Hey,

    Due to a security test that my project has to pass, we need to get rid - or change the way it's done - of the login redirection:

    /umbraco/login.aspx?redir=

    It should be done in a way that the user cannot change the URL manually. Is it possible to change this via any parameter or configuration, or do we have to change the source code?

    Thanks

     

     

    Copy Link
  • Chris Koiak 700 posts 2626 karma points
    Dec 16, 2010 @ 12:01
    Chris Koiak
    1

    I doubt there's a config setting to change this within Umbraco. You could write a HTTPHandler that intercepts this request and responds appropriately, maybe by just stripping this parameter.

    This would disable this functionality completely but it's not core functionality as it only allows the user to jump to a specific page in the back office.

    Chris

    Copy Link
  • manuelpedrera 18 posts 38 karma points
    Dec 16, 2010 @ 13:36
    manuelpedrera
    0

    Thanks for your response Chris,

    I opted for adding a piece of JS in login.aspx

    <script type="text/javascript">  
            $(function() {
                function getUrlVar(requestedKey) {
                    var vars = [], hash;
                    var hashes = window.location.href.slice(window.location.href.indexOf('?') + 1).split('&');

                    for (var i = 0; i < hashes.length; i++) {
                        hash = hashes[i].split('=');
                        vars.push(hash[0]);
                        vars[hash[0]] = hash[1];
                    }
                    if (typeof requestedKey == 'undefined') {
                        return vars;
                    } else {
                        return vars[requestedKey];
                    }
                }

                if ($("form#Form1").length > 0) {
                    if (getUrlVar("redir") != "/umbraco/default.aspx") {
                        var currentUrl = window.location.href;
                        var redirPos = currentUrl.indexOf("redir");

                        window.location.href = currentUrl.substr(0, redirPos) + "redir=/umbraco/default.aspx";
                    }
                }

            });
        </script>
    Copy Link
  • Chris Koiak 700 posts 2626 karma points
    Dec 16, 2010 @ 13:48
    Chris Koiak
    0

    Glad you found a solution. Remember though that someone can still use the 'redir' functionality if they disable javascript

    Copy Link
Please Sign in or register to post replies

Write your reply to:

Draft