HI,
I'm quite sure that I'm falling in security common pitfalls, but this is my
problem:
all my site is under a main firewall, so when an user request an url (for
example *http://mysite/accounts*), he will be redirected to login page *
http://mysite/login*. (it works)
when the user submits the login form he will be authenticated in this case
with my custom entity provider. (it works)
the login redirects the user (from login_check) to the requested resource (*
http://mysite/accounts*) and sends the correct response (...my account list)
Here there is the problem.
In the user browser address bar *the user continue to see the url
login_check instead of the url of the requested resource** **(**
http://mysite/login_check*)*
**
*symfony 2.1.6*
*Any informations will be appreciated
Marco Roello
*
security.yml*
providers:
cnr:
entity: { class: CnrVTBundle:User }
in_memory:
memory:
users:
user: { password: userpass, roles: [ 'ROLE_USER' ] }
admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
firewalls:
ajax_calls:
pattern: ^/_wdt
anonymous: ~
main:
pattern: ^/
anonymous: ~
form_login:
provider: cnr
csrf_provider: form.csrf_provider
login_path: /login
check_path: /login_check
use_referer: false
always_use_default_target_path: false
default_target_path: /
logout: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/_wdt, roles: 'IS_AUTHENTICATED_ANONYMOUSLY' }
- { path: ^/, role: IS_AUTHENTICATED_FULLY }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
*routing.yml*
cnr_vt:
resource: "@CnrVTBundle/Controller/"
type: annotation
prefix: /
fos_js_routing:
resource: "@FOSJsRoutingBundle/Resources/config/routing/routing.xml"
cnr_vt_security_login:
pattern: /login
defaults: { _controller: CnrVTBundle:Security:login }
_security_login_check:
pattern: /login_check
_security_logout:
pattern: /logout
*login.html.twig*
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>{% block title %}Title{% endblock %}</title>
<link rel="icon" sizes="16x16" href="{{ asset('favicon.ico') }}" />
<link rel="stylesheet" href="{{
asset('bundles/cnrvt/css/jquery.mobile-1.2.0.css') }}" />
<link rel="stylesheet" href="{{
asset('bundles/cnrvt/css/style.css') }}" />
<script src="{{ asset('bundles/cnrvt/js/jquery.js') }}"></script>
<script src="{{ asset('bundles/cnrvt/js/jquery.mobile-1.2.0.js')
}}"></script>
<script>
$(document).on("mobileinit", function () {
//$.mobile.ajaxEnabled = false;
});
</script>
</head>
<body>
<div data-role="page">
<div data-role="header"><h1>Accedi</h1></div>
<div data-role="content">
{% if error %}
<div>{{ error.message }}</div>
{% endif %}
<form action="{{ path('_security_login_check') }}"
method="post">
<input type="hidden" name="_csrf_token" value="{{
csrf_token }}" />
<label for="username">Username:</label>
<input type="text" id="username" name="_username"
value="{{ last_username }}" />
<label for="password">Password:</label>
<input type="password" id="password" name="_password" />
<button type="submit" data-inline="true">Accedi</button>
</form>
</div>
</div>
</body>
</html>
--
--
If you want to report a vulnerability issue on Symfony, please read the
procedure on http://symfony.com/security
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
