Bug #54508

Http Redirect 301 prevents browsers from retrieving the correct url after authentication

Added by Andreas Schosser about 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Caching
Target version:
-
Start date:
2013-12-19
Due date:
% Done:

0%

TYPO3 Version:
4.7
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Hello TYPO3 Core Team

I had an issue with user restricted pages concerning the http status code of the redirect.

The Server sends status 301 and redirects to the configured login page. Status 301 indicates, that the browser may cache the redirect result and may never fetch the original url. So even when correctly authenticated and authorised the user cannot view the page unless he clears the browser cache.
It would be better to use status code 302 in this case, so the browser will try to fetch the original url.

I tracked the issue to file typo3/sysext/cms/tslib/class.tslib_fe.php, line 2788. I changed the status code manually from 301 to 302 ($redirectStatus = t3lib_utility_Http::HTTP_STATUS_302;).

Could you please change the status code or provide the possibility to configure it via typoscript.

Thank you,
Andreas


Related issues

Duplicates TYPO3 Core - Bug #56423: Page shortcuts redirect with HTTP Status 301 and get cached on some devices Closed 2014-02-28

History

#1 Updated by Markus Klein about 5 years ago

Can you please explain your setup in more detail?

The Server sends status 301 and redirects to the configured login page

What is the configuration you're using here?

#2 Updated by Joonas Kauhanen almost 5 years ago

I can confirm this behaviour. Whenever a frontend user tries to navigate to an access restricted page but is not logged in, a 301 redirect is happening to login page. After logging in, trying to navigate to the initial page will result in a cached redirect by the browser. The suggested patch works but it is maybe not the optimal way. We are using TYPO3 6.1.5 with Realurl on a fairly standard LAMP server.

#3 Updated by Markus Klein almost 5 years ago

What is your Typoscript setup to achieve the redirect to the login form?

The code mentioned resides in the checkPageForShortcutRedirect() function? If so, I'm a bit unsure what a shortcut has to do with felogin redirect.

#4 Updated by Markus Klein almost 5 years ago

  • Status changed from New to Needs Feedback

#5 Updated by Joonas Kauhanen almost 5 years ago

I think the redirect happens because of this Realurl configuration: 'postVarSet_failureMode'=>'redirect_goodUpperDir'. And I was wondering too how the shortcut function is related, but it fixed the situation. Is the original author using Realurl too?

#6 Updated by Alexander Opitz over 4 years ago

Are all points cleared out so that this issue can be closed?

#7 Updated by Andreas Schosser over 4 years ago

Hi Alexander

I think I have to clarify the issue.

Let's have a look at the following page structure:

|- parent page (shortcut mode first subpage)
  |- page 1 (restricted to group 1)
  |- page 2 (restricted to group 2)
  |- Login (public)
  |- common page (restricted to groups 1 and 2)

When an anonymous user access the common page TYPO3 issues a permanent redirect to the Login page. This should be changed to "302 Found".

Our setup us as follows:

  • TYPO3 4.7.19
  • Realurl 1.12.7
  • no postVarSet_failureMode set

Thank you
Andreas

#8 Updated by Markus Klein over 4 years ago

What happens if you disable realurl?
Is it the same with TYPO3 CMS 6.2?

301 is not good in most cases, but we've to figure out which component is triggering it, the Core or realurl

#9 Updated by Dmitry Dulepov over 4 years ago

1. RealURL does not handle anything regarding authentication or login because it runs before the page id is known to TYPO3. Without page id it is not possible to redirect anywhere.
2. RealURL does not handle anything regarding permissions to view pages. It only decodes/encodes URLs given to it. It is up to the caller to handle the rest.
3. RealURL always uses a custom HTTP status line to let you know that it is redirected. A typical RealURL redirect produces the following status line: HTTP/1.0 301 TYPO3 RealURL redirect

So the chance that it is RealURL is 0.001%.

#10 Updated by Markus Klein over 4 years ago

Thanks Dmitry for clarification!!

#11 Updated by Andreas Schosser over 4 years ago

What happens if you disable realurl?

The problem persists with config.tx_realurl_enable=0

Is it the same with TYPO3 CMS 6.2?

I haven't tried this setup with 6.2 yet.

301 is not good in most cases, but we've to figure out which component is triggering it, the Core or realurl

I think it's the core becaus my patch of typo3/sysext/cms/tslib/class.tslib_fe.php worked for me an the status code is harcoded there in line 2.788.

Andreas

#12 Updated by Markus Klein over 4 years ago

  • Category changed from felogin to Caching
  • Status changed from Needs Feedback to Accepted
  • Target version set to next-patchlevel

Ok, I guess I finally understood your problem.

The problem is actually, that you've a shortcut, whose target changes depending on the login state.

For performance reasons we chose to do a permanent redirect, but clearly for this scenario that is not the best idea.

I agree we should use another status code, but not 302, as this one is replaced with 303/307 in HTTP/1.1, see http://en.wikipedia.org/wiki/List_of_HTTP_status_codes

Moreover we will not find enough reviewers for 4.x, so I guess this will be fixed 6.3,6.2 only.

#13 Updated by Markus Klein over 4 years ago

  • Status changed from Accepted to On Hold
  • Target version deleted (next-patchlevel)

And finally it turned out that is already fixed on 6.2+, hence this is a duplicate of #56423.
I will close the issue, if you agree.

#14 Updated by Andreas Schosser over 4 years ago

I will close the issue, if you agree.

Of course you may close this issue. Great that it is fixed in 6.2.

Thank you
Andreas

#15 Updated by Markus Klein over 4 years ago

  • Status changed from On Hold to Closed

Also available in: Atom PDF