authboss icon indicating copy to clipboard operation
authboss copied to clipboard
verified publisher icon volatiletech

Doubts about login/logout redir behaviour

Open frederikhors opened this issue 6 years ago • 3 comments

Issue opened for the creation of a wiki page that summarizes the doubts and problems for newbies (https://github.com/volatiletech/authboss/issues/210).

I have two doubts about the redir behaviour of authboss.

SCENARIO:

I have two sides:

  • backend.mysite.com
  • client.mysite.com

Many times I need to disconnect the user so I redirect it from let's say client.mysite.com/teams/1 to backend.mysite.com/authboss/logout?redir=/teams/1.

It doesn't work because authboss detects unauthorized account (invalidated from client side) and redirects to backend.mysite.com/authboss/login?redir=%2F and I loose my redir info.

DOUBT 1:

Can we pass redir info from /logout to /login?

DOUBT 2:

Even if I use /login?redir=/teams/1 I read some time ago that it is wrong - from a security point of view - to enter complete URLs in the redir info such as: backend.mysite.com/authboss/login?redir=https://client.mysite.com/teams/1.

I know authboss automagically adds the backend.mysite.com/ part after login and before redirect to redir.

Is there a way to change this initial part (eg. with https://client.mysite.com/)?

Is Config.Paths.AuthLoginOK involved here in some way?

frederikhors avatar Jun 07 '19 23:06 frederikhors

I found this: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md.

Safe use of redirects and forwards can be done in a number of ways:

  • Simply avoid using redirects and forwards.
  • If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL.
  • If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
  • It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.
  • Sanitize input by creating a list of trusted URL's (lists of hosts or a regex).
  • Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.

frederikhors avatar Jun 07 '19 23:06 frederikhors

Hi again @frederikhors. I'm actually not sure that that's a supported way of using authboss (to redirect outside it's primary domain). It is definitely wrong to allow a full URL in the redir query parameter. Sounds like a special feature request you'd have to patch in yourself for your use case :(

aarondl avatar Jul 13 '19 02:07 aarondl

If you wanted to make it a real feature in Authboss it'd have to use the trusted URLs as shown in the notes you pasted.

aarondl avatar Jul 13 '19 02:07 aarondl