Bug #54508
closed
Http Redirect 301 prevents browsers from retrieving the correct url after authentication
0%
Description
Hello TYPO3 Core Team
I had an issue with user restricted pages concerning the http status code of the redirect.
The Server sends status 301 and redirects to the configured login page. Status 301 indicates, that the browser may cache the redirect result and may never fetch the original url. So even when correctly authenticated and authorised the user cannot view the page unless he clears the browser cache.
It would be better to use status code 302 in this case, so the browser will try to fetch the original url.
I tracked the issue to file typo3/sysext/cms/tslib/class.tslib_fe.php, line 2788. I changed the status code manually from 301 to 302 ($redirectStatus = t3lib_utility_Http::HTTP_STATUS_302;).
Could you please change the status code or provide the possibility to configure it via typoscript.
Thank you,
Andreas
Updated by Markus Klein over 10 years ago
Can you please explain your setup in more detail?
The Server sends status 301 and redirects to the configured login page
What is the configuration you're using here?
Updated by Joonas Kauhanen about 10 years ago
I can confirm this behaviour. Whenever a frontend user tries to navigate to an access restricted page but is not logged in, a 301 redirect is happening to login page. After logging in, trying to navigate to the initial page will result in a cached redirect by the browser. The suggested patch works but it is maybe not the optimal way. We are using TYPO3 6.1.5 with Realurl on a fairly standard LAMP server.
Updated by Markus Klein about 10 years ago
What is your Typoscript setup to achieve the redirect to the login form?
The code mentioned resides in the checkPageForShortcutRedirect() function? If so, I'm a bit unsure what a shortcut has to do with felogin redirect.
Updated by Markus Klein about 10 years ago
- Status changed from New to Needs Feedback
Updated by Joonas Kauhanen about 10 years ago
I think the redirect happens because of this Realurl configuration: 'postVarSet_failureMode'=>'redirect_goodUpperDir'. And I was wondering too how the shortcut function is related, but it fixed the situation. Is the original author using Realurl too?
Updated by Alexander Opitz almost 10 years ago
Are all points cleared out so that this issue can be closed?
Updated by Andreas Schosser almost 10 years ago
Hi Alexander
I think I have to clarify the issue.
Let's have a look at the following page structure:
|- parent page (shortcut mode first subpage) |- page 1 (restricted to group 1) |- page 2 (restricted to group 2) |- Login (public) |- common page (restricted to groups 1 and 2)
When an anonymous user access the common page TYPO3 issues a permanent redirect to the Login page. This should be changed to "302 Found".
Our setup us as follows:
- TYPO3 4.7.19
- Realurl 1.12.7
- no postVarSet_failureMode set
Thank you
Andreas
Updated by Markus Klein almost 10 years ago
What happens if you disable realurl?
Is it the same with TYPO3 CMS 6.2?
301 is not good in most cases, but we've to figure out which component is triggering it, the Core or realurl
Updated by Dmitry Dulepov almost 10 years ago
1. RealURL does not handle anything regarding authentication or login because it runs before the page id is known to TYPO3. Without page id it is not possible to redirect anywhere.
2. RealURL does not handle anything regarding permissions to view pages. It only decodes/encodes URLs given to it. It is up to the caller to handle the rest.
3. RealURL always uses a custom HTTP status line to let you know that it is redirected. A typical RealURL redirect produces the following status line: HTTP/1.0 301 TYPO3 RealURL redirect
So the chance that it is RealURL is 0.001%.
Updated by Andreas Schosser almost 10 years ago
What happens if you disable realurl?
The problem persists with config.tx_realurl_enable=0
Is it the same with TYPO3 CMS 6.2?
I haven't tried this setup with 6.2 yet.
301 is not good in most cases, but we've to figure out which component is triggering it, the Core or realurl
I think it's the core becaus my patch of typo3/sysext/cms/tslib/class.tslib_fe.php worked for me an the status code is harcoded there in line 2.788.
Andreas
Updated by Markus Klein over 9 years ago
- Category changed from felogin to Caching
- Status changed from Needs Feedback to Accepted
- Target version set to next-patchlevel
Ok, I guess I finally understood your problem.
The problem is actually, that you've a shortcut, whose target changes depending on the login state.
For performance reasons we chose to do a permanent redirect, but clearly for this scenario that is not the best idea.
I agree we should use another status code, but not 302, as this one is replaced with 303/307 in HTTP/1.1, see http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
Moreover we will not find enough reviewers for 4.x, so I guess this will be fixed 6.3,6.2 only.
Updated by Markus Klein over 9 years ago
- Status changed from Accepted to On Hold
- Target version deleted (
next-patchlevel)
And finally it turned out that is already fixed on 6.2+, hence this is a duplicate of #56423.
I will close the issue, if you agree.
Updated by Andreas Schosser over 9 years ago
I will close the issue, if you agree.
Of course you may close this issue. Great that it is fixed in 6.2.
Thank you
Andreas