We have an ecommerce setup that uses GeoIP plugin to redirect users to the right store. The setup is as below:
Cloudflare -> Nginx -> Varnish -> Apache -> Magneto (GeoIP Plugin)
We have country specific home page redirections setup as per table below:
www.myecomstore.com from US goes to www.mystore.com/en-US
www.myecomstore.com from Canada goes to www.mystore.com/en-CA
www.myecomstore.com from Australia goes to www.mystore.com/en-AU
and so on...
We were told to add this code to Varnish to bypass first time visitors so the GeoIP module can redirect users properly to the right store instead of Varnish delivering cached home page content all the time.
if (req.http.cookie !~ "PHPSESSID=") {
return (pass);
}
My understanding is the above varnish code will bypass first time visitors so they can be redirected properly to the right store. Subsequent visits by the same visitor will fetch from Varnish as required/possible.
Without the first-time bypass, visitors will be shown cached default home page irrespective of which country they came from.
Can someone please help clarify?
Related
For example I am testing a website and I found some invalid (error) pages. You visit the page and receive status code 500. But now if you reload the page or visit any valid page on website it just stuck on loading until you clear cookies of that site from browser. So maybe this activity make current user cookies/session invalid on server side I guess so you clear cookies and reload the page and it becomes normal. In terms of severity in which category we can identify this issue.
There are lots of way to exploit this bug in real life.
For Example - Send this page link to victim so He/She might think that whole website is down and you may lead them to other optional sites or your own website for your personal benefits maybe.
I would grade it with this CVSS-vector:
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
which results in a score of 3.5 (LOW)
Reasoning:
Attack Vector - Network: You send the malicious link to the victim via internert
Complexity - Low: It is rather easy to spot the vuln and sending a link is easy as well
Privileges - Low: You need an account on the page to find the vuln
User interaction - required: Victim needs to click on the link
Scope - unchanged: nothing changes beyond your session in the web application
Confidentiality+Integrity - None: Not affected
Availablity - Low: Only single session is affected
I'm using oracle apex 5.
From the application, I'm sending mails for different users with different page links based on user roles.
For example, my app_id is 222.
For an user: the url link sent to user mail id is <hostname>:<port>/apex/f?p=222:5
For a manager: the url link sent to user mail id is <hostname>:<port>/apex/f?p=222:7
In Chrome it works fine, as the user or manager goes to link and after login, they are redirected to respective pages as 5 or 7.
But in IE, it always goes to Home page which is 1.
I have tried with APEX_CUSTOM_AUTH.LOGIN in the after submit branch pl/sql procedure of login button as well (of the login page ).
BEGIN
APEX_CUSTOM_AUTH.LOGIN (
P_UNAME => :P101_USERNAME,
P_PASSWORD => :P101_PASSWORD,
p_session_id => V('APP_SESSION'),
p_app_page => :APP_ID||':7'|| :p_session_id);
END;
Again it works good in chrome, but NOT in IE.
In IE, it always goes to home page. IE version is 11. Why in IE, it's not able to goto the page needed?. Please help.
(Chrome version 54. By the way how it works good in chrome?).
This is not academic solution but will work.
Set a parameter in your application to know if people comes from a mail or normal login.
Set a parameter in your application where you store the value from the link in the mail.
Now the magic, do a Dynamic Action on Page Load and use JS to redirect to the desired page, obviously the DA has to be conditional and the condition must be the parameter where you came from.
I am using external providers to login to my web app. (for example Google). In my custom userservice I get to AuthenticateExternalAsync and from there I want (if need to) redirect to Angular page.
public override Task AuthenticateExternalAsync(ExternalAuthenticationContext context)
{
...
...
context.AuthenticateResult = new AuthenticateResult("~/externalregistration", user.Subject, name, identityProvider: user.Provider);
return Task.FromResult(0);
}
i have html page
at https://localhost:44300/Content/app/externalregistration.html
How do I map externalregistration to this page?
At the moment I get an error
https://localhost:44300/identity/externalregistration#
HTTP Error 404.0 - Not Found
thank you
Mark
The page for the partial login has to be with IdentityServer - see that it's looking for it at /identity/ and not /Content/app/.
If from your user service you issue a partial login, then that web page is entirely up to you to serve up from the server. If that partial login page needs to know the identity of the user, then it needs to be hosted in the same path as IdentityServer so the partial login cookie can be read on the server. If you then want that page to be a SPA, then you'd have to have some server side code issue something into the browser for your SPA to know the identity of the user. If you want that page to be a SPA and make Ajax calls back to the server, you need to include some XSRF protection.
All in all, custom partial pages are easiest implemented as standard server-rendered MVC pages.
Context: I'm developing a website for a conference happening early next year. I'm using tito.io to process registrations and Github Pages to host the website.
At the moment, users register by visiting https://tito.io/maine-civic-hack-day/maine-civic-hack-day-2013. I'd like to clean that up, and point them to http://mainecivichackday.com/register instead.
I've read about 301, 302, and masked redirects, but as far as I've seen so far, those are applicable to subdomains. For instance, I can make this work with register.mainecivichackday.com, but not with mainecivichackday.com/register.
What are my options?
TLDR: how do I point a.com/b to c.com?
You can set up a redirect on the a.com/b page to b.com/a but the user will see that they were redirected to.
If you want it to show as a clean url to the user, the webserver at tito.io will have to be configured to answer to your desired url such as http://register.mainecivichackday.com
I have a link pointing to restricted page. When I access the link directly in logout status, its redirect to 404. Actually it should redirect to login form.
I tried:
config {
typolinkLinkAccessRestrictedPages=PAGE_ID
typolinkLinkAccessRestrictedPages_addParams = &return_url=###RETURN_URL###&pageId=###PAGE_ID###
}
Not working.
Also I tried the login status redirect plugin, no use.
Anyone know how to do this? I am using TYPO3 version 4.4.8.
As this is still unanswered, does this help?
Valid for TYPO3 < 8.x
# Check if user is logged in:
[usergroup = *]
# do something
[else]
page.config >
page.config.additionalHeaders = Location: http://www.yourdomain.org/login.html
[end]
I recently posted this to another questions and it crossed my mind that it might be a suitable workaround for your probem.
Found here
I'm not sure how to make redirection work correctly, but perhaps a bit of background will be helpful.
typolinkLinkAccessRestrictedPages only interacts with link generation. That way, anywhere you have a link to an access restricted page, you should get a link that points to the "PAGE Id" page. I suspect you are using your login pid in place of PAGE Id, which I guess should work, but I haven't used this particular feature. I have typolinkLinkAccessRestrictedPages = NONE which makes all links show up, linked to the correct url, but only users who are logged in will successfully load those pages.
If anyone, without being logged in, uses a bookmark to an access restricted page, or they click on one of these links, or directly type in the address, or whatever, they will run into TYPO3's 404 handling (with the error message: ID was not an accessible page). To change how TYPO3 handles these errors, you need to change what TYPO3 does via this setting in localconf.php:
$TYPO3_CONF_VARS["FE"]["pageNotFound_handling"]
I don't know if there's a clean way to just automatically redirect to the login page without hacking the pageNotFound_handling.
As far as the typoscript solution, that wouldn't work for my site, because the trigger isn't whether or not someone is logged in (often they will not be logged in)--the trigger for my site is trying to access a protected page when you are not logged in. I don't want it to redirect everyone who isn't logged in because a lot of pages don't require any login.
Fe_login cannot alone do this...
Follow these steps::
Install "pagenotfoundhandling" extention after felogin login
configuration.
Configure 403 page as login page in "pagenotfoundhandling" extention configuration.
Then, when you try to access "Access restricted page", "pagenotfoundhandling" will redirect to login page then pagenotfoundhandling handle redirect to again requested page. I have tested this on TYPO3 6.2.14
And I found an other workaround that looks like it should work fine.
# pages and subpages starting at 123 and 321 are restricted
[PIDinRootline = 123,321] && [loginUser = ]
page.headerData.666 = TEXT
page.headerData.666 {
data = getIndpEnv:TYPO3_REQUEST_URL
wrap = <meta http-equiv="refresh" content="0; URL=/passwort/?referer= | " />
}
[global]
Important notice: Do not restrict the complete page, only all contents of the page. Otherwise RealURL will trigger the 404 handler.
At the moment page.config.additionalHeaders (like used by #Mateng) does not support stdWrap, though you cannot add a referrer to redirect to the desired page after login (see TYPO3 Forge and vote for feature request).
Complete solution :
1. first in typo3conf/LocalConfiguration.php you have to add:
'FE' => [
'pageNotFound_handling' => 'REDIRECT:/login/',
"pageNotFound_handling_statheader" => 'HTTP/1.1 404 Not Found',
...
],
then add to typoscript :
'
config {
typolinkLinkAccessRestrictedPages = YOUR_LOGIN_PAGE_ID
typolinkLinkAccessRestrictedPages_addParams = &return_url=###RETURN_URL###
}
plugin.tx_felogin_pi1.redirectMode = referer
'
Because there seems no proper solution for this behaviour of TYPO3, I use the following workaround with RealURL.
Create a 404 page in TYPO3
set the Speaking URL path segment to "404-error" and check
Override the whole page path
Add a text that describes what is happening (i. e. "Page doesn't exist or is restricted, please login")
Add the felogin plugin to that page and hide it when users are logged in
Set [FE][pageNotFound_handling] = /404-error/ in the install tool
This 404-error page is shown every time a user requests a page that he is either not allowed to see or a page that does not exist. When the user uses the login form on the page, he will find the proper content immediately after login because the URI did not change at all (when there is no redirect configured for the fe_login plugin).