On Thu, 2015-06-18 at 21:28 +0200, Gordian Edenhofer wrote: > After the user was authenticated a redirect to the site which > linked the user to the login page is done. This fixes FS#32481. > --- > web/html/login.php | 1 + > web/lib/acctfuncs.inc.php | 15 ++++++++++++++- > 2 files changed, 15 insertions(+), 1 deletion(-) > > diff --git a/web/html/login.php b/web/html/login.php > index f898a57..1b3a589 100644 > --- a/web/html/login.php > +++ b/web/html/login.php > @@ -42,6 +42,7 @@ html_header('AUR ' . __("Login")); > <p> > <input type="submit" class="button" > value="<?php print __("Login"); ?>" /> > <a href="<?= get_uri('/passreset/') > ?>">[<?= __('Forgot Password') ?>]</a> > + <input id="id_referer" type="hidden" > name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ? > $_SERVER['HTTP_REFERER'] : '/'; ?>" /> > </p> > </fieldset> > </form> > diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php > index 20ac081..127a991 100644 > --- a/web/lib/acctfuncs.inc.php > +++ b/web/lib/acctfuncs.inc.php > @@ -544,7 +544,20 @@ function try_login() { > } > > setcookie("AURSID", $new_sid, $cookie_time, "/", null, > !empty($_SERVER['HTTPS']), true); > - header("Location: " . get_uri('/')); > + > + /** > + * Check whether the site itself refered here and if so > refer back to its origin > + * > + * One major drawback is that POST request are not handled > properly, the only possible > + * solution I could think of is to use JavaScript to auto > submit a hidden form, though > + * it would slow down the page load time and would require > js for a successful redirect. > + * This hard dependcy is not somehtings I want to implement > since this problem is too > + * minor for such an agressive approach IMHO. > + */ > + $referer = !empty($_REQUEST['referer']) ? > $_REQUEST['referer'] : '/'; > + $aur_location = aur_location(); > + $referer = strpos($referer, $aur_location) === 0 ? $referer > : '/'; > + header("Location: " . get_uri( $referer )); > $login_error = ""; > } >
Sorry for sending this message twice. Please just ignore this E-Mail.
signature.asc
Description: This is a digitally signed message part