The behavior I'm trying to achieve is such that when the node app redirects to a URL, once that has been complete, I want the node app to subsequently redirect to another URL.
res.redirect('/hello').then(res.redirect('/'))
Something like that.
What I'm trying to achieve is when a user logs out from my application, they first get redirected to our identity server, which clears any association with the user and the Identity Server, completely logging them out, and then redirect to the application-specific login (a path configured in the node app). Thus,
res.redirect('www.identityserver.com/logout').then(res.direct('www.application.com/auth'))
The restriction is that I can't implement this using the post-logout redirect URL that the identity server is built with... simply because we don't want to upgrade to the latest version. Further - manually clearing their cookies/session in the application and then redirecting them to www.application.com/auth does not fully un-authenticate them. The identity server still knows and associates them with some session/cookie.
NOTE: There's no good answer to this question, but I selected answer with the best effort.
Here's an idea for how to do this.
Change your redirect to a special redirect page of your own. In that redirect page you include an iframe that points to the http://www.identityserver.com/logout page. As long as the logout page does not include anti-framing logic, this should achieve the logout.
Now, since the logout iframe is from a different domain than your page and you don't control it, you cannot communicate with the content of the iframe without cooperation from within the iframe. So, assuming there is no cooperation from the iframe, you are left without a good way to know when the logout is complete. But, you probably don't really need to know that. What you do need to do is to make sure the iframe has enough time to send it's initial request so that the identityserver host can receive that logout request. You can test just how long that might be, but if you start measuring time once this special page has finished loading, then a couple seconds is probably more than enough to make sure the iframe logout request has been sent.
Then, after that couple seconds, you can then redirect your special page to whatever new page you wanted to go to. If you're going to measuring the timing starting from when the page is loaded, then you would want to do this redirect from client-side Javascript in that page by just setting:
window.location = "http://www.application.com/auth";
Now, you don't even have to load a special page to do all this or directly involve the server. You could just create the logout iframe with client-side Javascript and insert it in whatever page you're already in. It can be done either way.
As to your original idea, the concept of two redirects from the same server response is conceptually flawed (which has been mostly explained in comments, but I will summarize here).
A server-side redirect consists of a custom header in the response that specifies the new location to go to and a particular response status that tells the requester that it should do a redirect. By definition, this structure can only hold one redirect. And, once that redirect happens, the browser goes to a new page on a new server and this server has zero influence on that browser any more. So, once you redirect to the logout server, you simply can't influence things any more. It's entirely up to that logout server and the page it provides what happens next.
As the comments above suggest, you probably don't want to do this, but I'm going to answer your question regardless since it might help you understand why.
You could set up a chain of redirects like so:
app.get('/start', function(req, res) {
console.log('start');
res.redirect('/hello');
});
app.get('/hello', function(req, res) {
console.log('hello');
res.redirect('/');
});
app.get('/', function(req, res) {
console.log('/');
res.end();
});
But do note that the redirects here are not really useful at all. Anything the / route ultimately does at the end of the chain could have simply been handled upfront by the /start route, no redirects necessary.
Related
I have a Meteor App that I'm whitelisting to just a specific IP.
So something like
handleRoute(req,res) => {
if (req.HEADERS[x-forwarder-for]) === WHITELISTED_IP) {
next(res,req)
} else {
res.writeHead(404);
res.end();
}
}
This works and you get a 404 page.
However, this can lead an attacker to know that the site at least exists. I'd like to obfuscate that further if possible.
Like, if you go to some obscure site that doesn't exist you'll probably see some splash page from your ISP. I'm guessing this is something the ISP put in place when DNS lookup fails.
I'm wondering if it's possible to still show that somehow. This would be using standard Node HTTP Request req,res API.
Thanks!
No, that's not possible. Once the control flow reaches your Node application, an attacker will know that it exists. They will be able to tell the difference between a page that is rendered by the browser on failure to look up a domain name in DNS, and a page you return to them. Besides, they won't be using browsers to investigate targets, so they will see quite a bit more than what a user in a browser would.
I think your best bet would be to copy & paste one of those annoying domain parking pages that web hosts put on a domain when it was purchased but isn't yet hosting a page yet. Ideally you would use the parking page of the domain registrar you used to acquire your domain because it will be the most believable. And of course, try to replicate the entire message (including headers), not just the HTTP body. Unlike the idea of serving a fake "can't resolve domain" page, this one should be entirely possible.
Is it possible to handle a redirect with Apache(.htaccess) after a page load? If so, how (generalized solution)?
Is this the best way to do it?
I want to perform a logout action (so the page must load first) and then perform a redirect to the login page, the thing is that I don't manage all the system after the login page, neither logout. So, is there a way to perform this or should I use a proxy or something?
Sorry if I'm using the wrong terminology, I'm quite lost at this point.
Situation:
I have this site with a login page, but then it goes to another port but the same site, I want to handle after the logout action a return to the login page that's why I'm looking to use apache because I don't have access to the files of that site(HTML, PHP, etc...).
Any help is apppreciated.
I am using express in one of my application. I want to make a post request to a url but it should also redirect to that url. Like when we submit a form using GET/POST method it redirect us to that url (). The only solution which is coming in my mind is
make a hidden form
redirect to that form from controller with data
Submit form using js on page load.
The only disadvantage of this solution is user will see a black page for some time till the form gets loaded.
Can anyone suggest some better solution ?
I think what you are looking for is not a "redirect." It's a solution which will send an extra request to another(or the same) URL and get the result from there instead of showing a blank page to the client for redirecting.
If that's correct, please refer to this similar question:How to forward a request to other endpoint in node.js
If you're looking for redirection (HTTP 301 & 302), the easiest way to do it is passing your data through GET URL query string. You can encrypt your data to prevent security risks.
I need to redirect (after do something) to an URL from doView().
How is it possible?
Many thanks in advance,
From your tags I'm assuming you're writing a portlet, possibly including an actionhandler. Now as soon as you're coming to the render phase, you intend to redirect to a completely different URL (e.g. to redirect your browser to show something outside of the portal) - correct me if I'm wrong.
With this, HTTP redirect is out of the game if you want this to work reliably. (There has been a lively debate on the liferay forums on the reasons)
For this reason javascript is your friend if you intend on the redirect to happen during render phase. However, note that this still might interfere with user expectation: Imagine if two different portlets generate different javascript redirects - which one do you expect to win?
Architecturally it might be cleaner to trigger a redirect during the action phase, but that's not your question
On my website users can post stuff anonymously.
When they have posted something they will be redirected to their post, let's say:
http://example.com/post/2/title-of-the-anonymous-post
The user who submitted the post and the admins are the only ones with access to that post (until it is made public). Once it is made public the post would still be anonymous (i.e. people cannot see who submitted the post).
However, on that page there are also some external links. If the user decides to click an external link the target website has the ability to log the http referer (which would contain the link to the hidden page). This means it would be possible to find out who posted it once it is made public.
Is there a way to change the HTTP referer (/ referrer) when a users clicks on a link to another website?
By for example first redirecting the user to another url and let that page redirect to the external website:
user clicks on: http://example.com/referer-hider?url={urlencoded(url)}
and let the referer-hider redirect the user to the external page so that the referer will contain: http://example.com/referer-hider?url={urlencoded(url)}
Will this work? Or is there another solution for this (which doesn't require client side modifications)?
Since the referrer is provided by the browser to a web server, I only see two ways to insure that external sites don't get a view of this "hidden" URL.
First way would be (as you said) to remove the external links from your hidden page by running them through a redirector which uses header("location: ...");). Yes, that will work. You might just want to use this in general, so that you can track the exits from your site.
Second way would be to stop hiding this URL. It won't stay hidden forever, after all. A Google/Alexa/whatever toolbar hits it, and bam, it's indexed. So instead, build this hidden functionality into something session based. Make a script that changes its output depending on session variables, and only allow the hidden content to show up if people have logged in or previewed their post or whatever.
The third (and probably best) way would be to implement proper access control, so that anonymous users CANNOT visit the page with the restricted content. If you want an anonymous original poster to be able to visit THEIR OWN post, you can send them a cookie, then validate the cookie upon the visit to the unapproved post.
For example, upon submission for approval:
setcookie('postkey', mysql_insert_id());
Then:
$pieces=explode($_SERVER['PHP_SELF']);
$postid=$pieces[2]; // or whatever
if (!isset($_COOKIE['postkey'])) {
header("Location: http://example.org/");
} else if ($_COOKIE['postkey'] != $postid) {
header("Location: http://example.org/");
}
etc. You probably want better protection than this, but it should give you some ideas.
The HTTP referer is not transmitted by the browser when a link is going from HTTPS->HTTP. So a simple solution is to have an https redirect page: https://yoursite/redirect?url=... . However this page is also vulnerable to OWASP a10 - Unvalidated Redirects and Forwards, but that might not matter to you. Another solution that doesn't expose you to OWASP a10 is to use a free redirect service.
The Meta referrer proposal from Adam Barth would help with your case; in short you could tell browsers via a <meta> tag that the Referer header should be stripped on all outgoing links.
This isn't a complete answer since it's only implemented in Webkit thus far, but it's something to keep an eye on.