Bug #82534

Felogin redirect by domain entries referer

Added by Bernhard Eckl about 3 years ago. Updated about 1 month ago.

Must have
Target version:
Start date:
Due date:
% Done:


Estimated time:
TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


There is a bug in the redirect by domain entries. According to the docs it is the same like redirect by referer, but the domain has to be defined in plugin.tx_felogin_pi1.domains. But this was not necessary (nothing changed, no redirect), instead the domain must be defined as a domain record.

In my case I wanted to redirect to a domain called https://intranet.xyz.de (intranet.xyz.de is a totally different server, no TYPO3). For this I had to create a domain record for the domain intranet.xyz.de. If the referer was not in the header, it also works as get parameter. But only if the domain is defined as a domain record.

This is because in felogin/Classes/Controller/FrontendLoginController.php function validateRedirectUrl is called which calls isInLocalDomain and in isInLocalDomain the domain records get checked. Instead it should not check isInLocalDomain but plugin.tx_felogin_pi1.domains.

I would prefer just to define the domain in plugin.tx_felogin_pi1.domains like mentioned in the documentation and no domain records.


Updated by Susanne Moog about 3 years ago

  • Category set to felogin

Updated by Riccardo De Contardi 8 months ago

If I am not totally wrong, this issue could be still present on 9.5.x and should be solved on version 10.4.0-dev (latest master)

(See function processRedirect in EXT:felogin/Classes/Controller/FrontendLoginController.php - lines 840+

                        case 'refererDomains':
                            // Auto redirect.
                            // Feature to redirect to the page where the user came from (HTTP_REFERER).
                            // Allowed domains to redirect to, can be configured with plugin.tx_felogin_pi1.domains
                            // Thanks to plan2.net / Martin Kutschker for implementing this feature.
                            // also avoid redirect when logging in after changing password
                            if (isset($this->conf['domains']) && $this->conf['domains']
                                && (!isset($this->piVars['redirectReferrer']) || $this->piVars['redirectReferrer'] !== 'off')
                            ) {
                                $url = $this->referer;
                                // Is referring url allowed to redirect?
                                $match = [];
                                if (preg_match('#^http://([[:alnum:]._-]+)/#', $url, $match)) {
                                    $redirect_domain = $match[1];
                                    $found = false;
                                    foreach (GeneralUtility::trimExplode(',', $this->conf['domains'], true) as $d) {
                                        if (preg_match('/(?:^|\\.)' . $d . '$/', $redirect_domain)) {
                                            $found = true;
                                    if (!$found) {
                                        $url = '';
                                // Avoid forced logout, when trying to login immediately after a logout
                                if ($url) {
                                    $redirect_url[] = preg_replace('/[&?]logintype=[a-z]+/', '', $url);

Updated by Markus Klein about 1 month ago

  • Status changed from New to Closed

Closing due to lack of feedback.


Updated by Bernhard Eckl about 1 month ago

There is no feedback to give. Which info do you need?

Also available in: Atom PDF