Actions
Patch #18980
closed
Parameter back_url not set on redirect to login page when session has expired
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Description
When a user requests a page (like "/projects/project_name/issues") and the session has expired, the user is redirected to "/login" without setting the "back_url" parameter.
This results in the user being redirected to "/my/page" after a successful login.
Expected behavior would be to redirect the user back to the originally requested url.
To test this more easily I have manually set the session_timeout to 1 (minute) in the database table (sql: update settings set value = 1 where name = 'session_timeout')
I have written a patch which sends along the proper "back_url" parameter. I have borrowed the code for creating of the "back_url" parameter from the function "require_login" from the same controller. Ruby is not my native language, so please check if this patch is correct (although I'm sure this is done anyway.)
Also logs are included which show the original behavior and the behavior when this patch is applied.
Patch
Index: app/controllers/application_controller.rb
===================================================================
--- app/controllers/application_controller.rb (revision 13953)
+++ app/controllers/application_controller.rb (working copy)
@@ -62,10 +62,16 @@
def session_expiration
if session[:user_id]
if session_expired? && !try_to_autologin
+ # Extract only the basic url parameters on non-GET requests
+ if request.get?
+ url = url_for(params)
+ else
+ url = url_for(:controller => params[:controller], :action => params[:action], :id => params[:id], :project_id => params[:project_id])
+ end
set_localization(User.active.find_by_id(session[:user_id]))
reset_session
flash[:error] = l(:error_session_expired)
- redirect_to signin_url
+ redirect_to signin_url(:back_url => url)
else
session[:atime] = Time.now.utc.to_i
end
Log of original version - Page request after session expiration:
Started GET "/projects/my_project_name/issues" for 1.2.3.4 at 2015-01-30 11:51:34 +0100
Processing by IssuesController#index as HTML
Parameters: {"project_id"=>"my_project_name"}
Redirected to https://www.redmine.org/login
Filter chain halted as :session_expiration rendered or redirected
Completed 302 Found in 5.3ms (ActiveRecord: 0.3ms)
Started GET "/login" for 1.2.3.4 at 2015-01-30 11:51:34 +0100
Processing by AccountController#login as HTML
Current user: anonymous
Rendered account/login.html.erb within layouts/base (2.1ms)
Completed 200 OK in 18.3ms (Views: 12.5ms | ActiveRecord: 1.8ms)
Started POST "/login" for 1.2.3.4 at 2015-01-30 11:51:44 +0100
Processing by AccountController#login as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"3H5asd234aslkjdhakh382y4=", "username"=>"my_username", "password"=>"[FILTERED]", "login"=>"Log in »"}
Current user: anonymous
Successful authentication for 'my_username' from 1.2.3.4 at 2015-01-30 10:51:44 UTC
Redirected to https://www.redmine.org/my/page
Completed 302 Found in 8.2ms (ActiveRecord: 2.6ms)
Started GET "/my/page" for 1.2.3.4 at 2015-01-30 11:51:44 +0100
Processing by MyController#page as HTML
Current user: my_username (id=3)
Rendered my/blocks/_timelog.html.erb (4.9ms)
Rendered issues/_list_simple.html.erb (14.3ms)
Rendered my/blocks/_issuesassignedtome.html.erb (33.7ms)
Rendered issues/_list_simple.html.erb (23.3ms)
Rendered my/blocks/_issuesreportedbyme.html.erb (34.1ms)
Rendered my/page.html.erb within layouts/base (75.5ms)
Completed 200 OK in 184.8ms (Views: 175.2ms | ActiveRecord: 4.7ms)
Log of patched version - Page request after session expiration:
Started GET "/projects/my_project_name/issues" for 1.2.3.4 at 2015-01-30 12:01:49 +0100
Processing by IssuesController#index as HTML
Parameters: {"project_id"=>"my_project_name"}
Redirected to https://www.redmine.org/login?back_url=https%3A%2F%2Fwww.redmine.org%2Fprojects%2Fmy_project_name%2Fissues
Filter chain halted as :session_expiration rendered or redirected
Completed 302 Found in 5.9ms (ActiveRecord: 0.5ms)
Started GET "/login?back_url=https%3A%2F%2Fwww.redmine.org%2Fprojects%2Fmy_project_name%2Fissues" for 1.2.3.4 at 2015-01-30 12:01:49 +0100
Processing by AccountController#login as HTML
Parameters: {"back_url"=>"https://www.redmine.org/projects/my_project_name/issues"}
Current user: anonymous
Rendered account/login.html.erb within layouts/base (2.2ms)
Completed 200 OK in 19.1ms (Views: 13.2ms | ActiveRecord: 1.8ms)
Started POST "/login" for 1.2.3.4 at 2015-01-30 12:02:13 +0100
Processing by AccountController#login as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"3H5asd234aslkjdhakh382y5=", "back_url"=>"https://www.redmine.org/projects/my_project_name/issues", "username"=>"my_username", "password"=>"[FILTERED]", "login"=>"Log in »"}
Current user: anonymous
Successful authentication for 'my_username' from 1.2.3.4 at 2015-01-30 11:02:13 UTC
Redirected to https://www.redmine.org/projects/my_project_name/issues
Completed 302 Found in 12.1ms (ActiveRecord: 4.4ms)
Started GET "/projects/my_project_name/issues" for 1.2.3.4 at 2015-01-30 12:02:13 +0100
Processing by IssuesController#index as HTML
Parameters: {"project_id"=>"my_project_name"}
Current user: my_username (id=3)
Rendered queries/_filters.html.erb (14.7ms)
Rendered queries/_columns.html.erb (2.5ms)
Rendered issues/_list.html.erb (248.6ms)
Rendered plugins/redmine_contacts/app/views/contacts_issues/_contacts.html.erb (1.2ms)
Rendered issues/_sidebar.html.erb (7.4ms)
Rendered issues/index.html.erb within layouts/base (287.3ms)
Completed 200 OK in 436.8ms (Views: 318.8ms | ActiveRecord: 13.4ms)
Related issues
Updated by 
Updated by 
Updated by 
Updated by
Actions