Forum OpenACS Development: ad_return_url and login link in the header bar

Hi everyone!

While testing the new version 5.10.1 it was brought to our attention that the login was returning some interesting information in the query parameters. It was a bit interesting because our first thought was that the form submission was the main culprit, but it was simpler than that: the login link in the header bar.

You can reproduce this by going to the register page:

https://openacs.org/register/

Then press the link in the top right corner and the result will be something like this:

https://openacs.org/register/?return_url=/

if the credentials are correct then it is not a problem, but if not, then after submitting you try to go into the link again, and you will get a different return URL:

https://openacs.org/register/?return_url=/register/?persistent_p%3dt%26__refreshing_p%3d0%26ok%3dok%26form:mailto:id%3dlogin%26__confirmed_p%3d0%26time%3d1737484712%26host_node_id%3d%26email%3dasdfasdf@test.com%26return_url%3d/pvt/home%26form:mode%3dedit%26hash%3dAB21E250979036C87F6F393B3127433470056C9C%26token_id%3d529

After searching it was found that the procedure used to create the return_url, ad_return_url, has code that always adds the form to the query string.


if {[ns_conn isconnected]} {
set query_list [export_vars -entire_form]
set base_url [ns_conn url]
}

My question is: Is it possible to add another flag to the API for the ad_return_url procedure to either include or exclude the -entire_form flag? That way we can still use the return url without having to walk around it.

Thanks

JC

Collapse
Posted by Gustaf Neumann on
Dear Josue,

probably, you are referring with "link in the top right corner" to the login link provided by the bootstrap themes, in case you are NOT logged-in. When you are logged-in, the link is differently.

If this assumption is right, then this issue was already discussed in Aug 2023 [1]. The fix for this issue was addressed by removing the password information from the form.

Have you versions of the theme package in place containing the fix?

Do you have a custom header bar requiring a similar fix?
Do you have some other concerns?

All the best
-gn

[1] https://openacs.org/bugtracker/openacs.org/bug?format=table&f_state=11&bug_number=150&project_id=3069

Collapse
Posted by Josue Cardona on
Thanks Gustaf!

You are correct, only when you are not registered and I have the version of the theme that has the fix, but only the password has been considered.

In my case involves a custom form for the login and it includes more inputs and for security reasons we would like to not include any of the values entered in the address bar and I was thinking more in a broader fix that we will not have to worry about any of the custom inputs for each change we make.

I know we could create a custom theme and a custom proc to handle that logic, which we have to some degree, but I was thinking that it will be better to keep using the default procs from acs-tcl in case those were to change in the future.

JC

Collapse
Posted by Gustaf Neumann on
The primary purpose of "ad_return_url" is to return all form and query variables. For instance, if a user’s session times out while filling out a for - regardless of the application or package in use - you wouldn’t want to lose the user’s input. Instead, after revalidating the user credentials via the register page, the user should be seamlessly returned to the partially completed form.

There may be scenarios where returning all form variables is not desired, which raises the question whether "ad_return_url" is the best choice in those cases. To address such concerns, the updated version of "ad_return_url" in the HEAD branch supports now both positive and negative selections of query/form variables for inclusion in the return URL. The new parameters follow the terminology established by "export_vars".

For details, see the commit [1]

Hope, this helps
-g

[1] https://openacs.org/api-doc/proc-view?proc=ad_return_url&source_p=1

Collapse
Posted by Josue Cardona on
This solution, which goes even further than I thought, greatly helps.

Thank you Gustaf!

JC