Sorry, we don't support your browser.  Install a modern browser
This post is closed.

Redirect target option after login#182

When clicking on a link to a Panel subpage like, users not yet logged in are redirected to the login form; after login, they land on the Panel dashboard, not the intended subpage.

It would be convenient if the login flow could forward users to the page their initially requested URL was for (e.g. when sending out such links for supporting clients, directing them to a specific URL in the Panel).

Having such a “redirect after login” feature could also be handy for frontend pages that require authentification: a URL option like (format is just an example) would lead users to login first, then to the intended target page.

2 years ago

@sebastiangreger The feature to redirect users to the requested Panel URL after logging in is actually already implemented since Kirby 3.0 as far as I remember. I just tested it again and it worked just fine. If it doesn’t work for you, please open an issue with details of the used browser etc. Please keep in mind that it only works if the login page isn’t reloaded before logging in (the target URI is kept in a variable on the frontend).

The feature to redirect to arbitrary pages after login is a nice idea. We would need to check that the passed URL cannot be manipulated in a way that allows for attacks though.

2 years ago

@Lukas Thanks for pointing out my misconception – in my initial tests the login page got indeed reloaded (due to a password manager setup issue). Classic “user error” and a retest confirms: Kirby’s feature works as you describe!

Considering potential attack vectors is an important point. At least the user input in the URL would have to be sanitized to mitigate XSS and HTTP Response Splitting attacks and the redirect target likely be strictly limited to local URLs in order to make social engineering attacks impossible? The OAuth Covert Redirect vulnerability comes to mind as well…

This would be a very convenient feature for building sites that require login, but of course only if security concerns don’t outweigh the benefits.

2 years ago