This question already has answers here:
CodeIgniter - How to get a list of all my controllers dynamically?
(2 answers)
Closed 7 years ago.
I have defined an encryption method for back reference of my login page in CodeIgniter. My encrypted string is a controller name which user was calling login function from that.
It's working fine but there is a security risk if I redirect to invalid decoded addresses before checking decoded strings is valid controller or not.
For example after a successful login to a link like http://example.com/login/sH-hs-eY-Tz it will redirect me back to http://example.com/home/ which home is decoded version of sH-hs-eY-Tz and everything is ok till now.
Now if a user try to login from some other url like http://example.com/login/gh-Yh-LJ-gh (s)he will be redirected to some url like http://example.com/decode(gh-Yh-LJ-gh)/ which is letting him/she to access my decryption method in url and showing a simple 404 page not found output. So this should be a security risk if I not check decoded string to be a valid controller name before applying a redirection to it.
So I only want a method to dynamically check if a string for example "Home" or "test" or "Welcome" is a controller name in my project or not? How can I handle this on a right way?
Any suggestions will be appreciated.
Just create a config element array in your config.php file.
Create an array in that file consisting of all the encoded string of your controllers. For Example
$config['encodedControllers'] => array(
"sH-hs-eY-Tz",
"iu-ss-et-az",
"sH-vs-eY-fz",
"gH-ns-bY-cz",
);
Then from where ever you want to check just call this array using
$controllersArray = $this->config->item('encodedControllers');
Get the uri segment from the URL using
$controllerName = $this->uri->segment(3); // NOTE the number inside segment() may differ according to your URL
Check if this $controllerName exists in $controllersArray using in_array(),
if(in_array($controllersArray,$controllerName )){
//Do the redirection
}
else{
//Do what ever you want to
}
Hope this helps
Related
All Viewers I am New in Codeigniter, I need your guide to done my work, I want to Encrypted full URL like below example.
For example this is my url www.example.com & my controller is home, so full url is www.example.com/home
now I want to encrypted all controller, function like below
www.example.com/5115784bef2514430e7f74d9a71d4142a942efb0f7cc428626bda7633326f9d015fbacc60d93cd6b858f9b6e05c1e56263acb24297cecc720467eb4f222d81e5hdn5B
I can encrypted & decrypted the text well, but I just don't get how can I decrypted from url & make understand which controller or function its called, I want to decrypted everything after base_url.
please don't suggest me about using common controller, because I already know that & anyhow common controller its hide everything so its not required the encryption as I believe.
Waiting for your positive response, hopefully my problem will be solve soon. T.I.A
Well i never encrypt any URL before but you can use a php function url_encode
And "str_replace" function.
the reason for using "str_replace" beacause url_encode only encode special character in URL.
Hope I help some.
Try the code below.
urlencode(str_replace("your_domain.com/YourCOntrollerName/YourMethodName" , "SM5ah52" , yor_domain.com . "YourCOntrollerName/YourMethodName/YOuData"));
If not this. There is an library in CI Framework called Encryption.
You can get help from there Encryption.
Go with URI Routing and define one controller to decode whatever you are passing, and call proper controller / method from it.
You can use URI Routing with regular expressions.
$route["other_controllers/method"] = "other_controllers/method"; //you can add this kind of lines to not to affect other controllers
$route["([a-zA-Z0-9]+)"] = "home/decrypt/$1";
In the home controller, You can
Redirect to the page
Or
Load a view
public function decrypt($token){
//geting the page according to the token from database.
$desired_page = $this->some_model->get_page($token);
//if you want to redirect
redirect($desired_page);
//if you want to load a view
$this->load->view($desired_page);
}
My controller posts a form to create a new page. After posting the form I need to redirect the user to the new page that will have the contents for that page that were entered in the previous form. If I simply do return view('mynewpageview', compact('mycontent')); where my mycontent is the object used to execute the $mycontent->save(); command, I carry the risk for someone refreshing the url thus posting the same content twice by creating a new page.
Instead I would like to redirect the user to the actual page url.
My route is
Route::get('/newpage/{id}', 'PageController#pagebyid'); and if I use return redirect()->route('/newpage/$pageid'); where $pageid = $mycontent->id; I get Route not defined error.
What would be the solution either to stop someone from resubmitting the content or a correct syntax for passing the parameter?
The correct answer that works for me is -
Give your route a name in the routes file
Then pass the parameters with an array as shown below in the controller.
return redirect()->route('newpageid', ['id' => $pageid]);
With basic (unnamed) routes, the correct syntax was return redirect('/newpage/'.$pageid);
You have already found out you can alternatively use named routes.
Last but not least, thanks for having considered the "double submit" issue! You have actually implemented the PRG pattern :)
I need someway to redirect my app to a previous url.
The problem comes when i make a submit that goes wrong, the redirect->back previous url is someway "overwrited" and i cannot get the previous real url anymore, instead the app makes the submit again.
The only thing that i tried is the redirect back, because i can't find another way to do it :S
So i´m wondering if there is a way to achieve that, redirect the app to a previous url without considering the submit fails and all this stuff.
Thank you.
Yo can try with:
return Redirect::to(URL::previous());
You can store URLs in session and then make Laravel redirect 2 or 3 pages back. Simple example of code to store URL in session:
$links = session->has('links') ? session('links') : []; // Get data from session
array_unshift($links, $_SERVER['REQUEST_URI']); // Add current URI to an array
session(compact('links')); // Save an array to session
And example of code for redirecting:
return redirect(session('links')[2]);
I am sending email to user, in that email one link is there to redirect that user to rails application. I want that link to be in encrypted form with domain name for example:
https://www.domain_name.com?hdurstihnzdfalgfgdfhdrbnhduolsasrtyumyrtyr
when user click on this link, he should directly redirect to controller method we specified in that URL which is not visible.
Controller and methods given in URL may vary according to user.
So my question is how we can do this in rails.
If I encrypt controller name, method name and parameter we passed. How routes file come to know where to redirect this URL? How to decrypt this in routes file and redirect internally to decrypted URL?
Life will be easier if you can do a slight modification to your url, something like:
https://www.domain_name.com/enc/hdurstihnzdfalgfgdfhdrbnhduolsasrtyumyrtyr
Then you can create a route for that path to redirect where you want.
get '/enc/:encoded_path' => "controller#action"
This would give you access to params[:encoded_path], which would equal hdurstihnzdfalgfgdfhdrbnhduolsasrtyumyrtyr in this case. From there, you could decode in the controller and then redirect however you want.
That's not the right approach. Here's what you can do instead:
Create a new controller action, say for instance, activate.
def activate
activation_token = params[:auth_token]
....
your logic to do whatever with this token
end
Create a corresponding route:
match '/activate' => 'your_awesome_controller#activate'
Now, when you email your users, I'm guessing you're sending some sort of activation token. If not, create two new fields in your users table:
activation_token:string
activated:boolean
Use some unique string generation algorithm to generate your activation_token and email it to your user:
yourdomain.com/activate?auth_token=user.activation_token
I have the need to pass a URL to Magento, where it should redirect the User after completing the logout. To store it, I do the following:
$BackTo = Mage::app()->getRequest()->getParam('backto');
if(!empty($BackTo)) {
Mage::getSingleton('core/session')->setBackTo($BackTo);
}
When needed, I retrieve the URL using Mage::getSingleton('core/session')->getBackTo(). The issue is that, while this works well on login, it doesn't work on logout (where it's most needed). I can store the session variable, I can also immediately retrieve it, but, when I am in logout.phtml, where the redirect JavaScript is located, such variable is set to null.
I suspect that the redirect performed by Magento upon logout has something to do with this "disappearing" session variable, but I can't say for sure.
For completeness, here is the relevant code (there's more code than this, but they are mainly auxiliary functions, which don't get called on logout).
Account Controller
class MyPackage_Redirectplugin_AccountController extends Mage_Customer_AccountController {
/**
* #see AccountController:logoutAction()
*/
public function logoutAction() {
$this->_getSession()
->logout()
->setBeforeAuthUrl(Mage::getUrl());
// Store the "back to" URL in a session variable
$this->StoreBackToURL();
$this->_redirect('*/*/logoutSuccess');
}
protected function StoreBackToURL() {
// Store the value of the "backto" argument, if it was passed
$BackTo = Mage::app()->getRequest()->getParam('backto');
if(!empty($BackTo)) {
Mage::getSingleton('core/session')->setBackTo($BackTo);
// At this point I can see the correct value stored in the session variable
}
}
}
Logout.phtml
// The following command returns null
$redirectURL = Mage::getSingleton('core/session')->getBackTo();
Thanks in advance for the help.
Update 12/09/25 - Found a workaround
Since I couldn't find a way to pass a session variable to the logout page opened by redirect, I chose an alternative way: I'm passing it via the URL. Specifically, I implemented a logoutAction() which calls $this->_redirect('*/*/logoutSuccess', array('myvar' => $MyValue));.
In the template, where I have to do the redirect, I simply read such parameter using Mage::helper('core')->urlDecode(Mage::app()->getRequest()->getParam('myvar'));.
I'm aware that there might have been better ways to implement the whole thing, but I needed a bug fix solution and this does the job. Thanks to all people who answered.
The cleanest option which I see (no controller rewrite necessary!) is to observe the dynamically-dispatched controller_action_postdispatch_customer_account_logout event - see the relevant line fromMage_Core_Controller_Varien_Action::postDispatch(). The postDispatch() method is called after the controller action completes.
Example observer method:
public function logoutRedirect($obs)
{
$redirectUrl = Mage::getUrl(/* url args */);
$obs->getControllerAction()->getResponse()->setRedirect($redirectUrl);
}
Doing this will redirect the user to the desired URL directly upon logout meaning that the logoutSuccess page with the JS redirect will not be accessed.
If the desire is to have the logoutSuccess page render as normal, but redirect to a different URL, this can be achieved a couple of ways:
1. By creating a custom template
2. By creating a custom template block class, overriding the getUrl() method to retrieve the URL of your choice, and assigning that as block to render in the content area (by removing or displacing the customer_logout block) in a custom layout XML update file.
just observe this event customer_logout, and when event call method you save the session key on database.
Learn more: http://www.magentocommerce.com/wiki/5_-_modules_and_development/reference/events
http://www.magentocommerce.com/wiki/5_-_modules_and_development/0_-_module_development_in_magento/customizing_magento_using_event-observer_method
GL.
Update 12/09/25 - Found a workaround
This workaround has also been posted in the question itself.
Since I couldn't find a way to pass a session variable to the logout page opened by redirect, I chose an alternative way: I'm passing it via the URL. Specifically, I implemented a logoutAction() which calls $this->_redirect('*/*/logoutSuccess', array('myvar' => $MyValue));.
In the template, where I have to do the redirect, I simply read such parameter using Mage::helper('core')->urlDecode(Mage::app()->getRequest()->getParam('myvar'));.
I'm aware that there might have been better ways to implement the whole thing, but I needed a bug fix solution and this does the job. Thanks to all people who answered.