Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doubts about login/logout redir behaviour #236

Open
frederikhors opened this issue Jun 7, 2019 · 3 comments
Open

Doubts about login/logout redir behaviour #236

frederikhors opened this issue Jun 7, 2019 · 3 comments

Comments

@frederikhors
Copy link
Contributor

Issue opened for the creation of a wiki page that summarizes the doubts and problems for newbies (#210).

I have two doubts about the redir behaviour of authboss.

SCENARIO:

I have two sides:

  • backend.mysite.com
  • client.mysite.com

Many times I need to disconnect the user so I redirect it from let's say client.mysite.com/teams/1 to backend.mysite.com/authboss/logout?redir=/teams/1.

It doesn't work because authboss detects unauthorized account (invalidated from client side) and redirects to backend.mysite.com/authboss/login?redir=%2F and I loose my redir info.

DOUBT 1:

Can we pass redir info from /logout to /login?

DOUBT 2:

Even if I use /login?redir=/teams/1 I read some time ago that it is wrong - from a security point of view - to enter complete URLs in the redir info such as: backend.mysite.com/authboss/login?redir=https://client.mysite.com/teams/1.

I know authboss automagically adds the backend.mysite.com/ part after login and before redirect to redir.

Is there a way to change this initial part (eg. with https://client.mysite.com/)?

Is Config.Paths.AuthLoginOK involved here in some way?
@frederikhors frederikhors mentioned this issue Jun 7, 2019
Open
23 tasks
@frederikhors frederikhors changed the title Doubts about login/logout redir behaviour. Doubts about login/logout redir behaviour Jun 7, 2019
@frederikhors
Copy link
Contributor Author

frederikhors commented Jun 7, 2019
edited
Loading

I found this: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md.

Safe use of redirects and forwards can be done in a number of ways:

  • Simply avoid using redirects and forwards.
  • If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL.
  • If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
  • It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.
  • Sanitize input by creating a list of trusted URL's (lists of hosts or a regex).
  • Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.

@aarondl
Copy link
Member

aarondl commented Jul 13, 2019

Hi again @frederikhors. I'm actually not sure that that's a supported way of using authboss (to redirect outside it's primary domain). It is definitely wrong to allow a full URL in the redir query parameter. Sounds like a special feature request you'd have to patch in yourself for your use case :(

@aarondl
Copy link
Member

aarondl commented Jul 13, 2019

If you wanted to make it a real feature in Authboss it'd have to use the trusted URLs as shown in the notes you pasted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aarondl @frederikhors