[Security] form login use_referer option not work.

[yceruto]

I want redirect to the previous page when "login" is successful.

Given the following security settings:

# app/config/security.yml
security:
    # ...

    firewalls:
        main:
            # ...
            form_login:
                # ...
                # The documentation say:
                # In case no previous URL was stored in the session, 
                # you may wish to try using the HTTP_REFERER instead...
                use_referer: true

    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: ROLE_ADMIN }

Steps to reproduce the current behavior:
(1) Open /dashboard page (any page without authentication required)
(2) Open /login page (HTTP_REFERER = 'http://example.com/dashboard')
(3) Sign in using valid credentials /login_check (HTTP_REFERER = 'http://example.com/login')
(4) Redirects to / (default_target_path). I expected redirect to /dashboard instead.

I checked according to DefaultAuthenticationSuccessHandler that use_referer only works if login isn't performed from login_path, which is very strange.

So, is this the expected behavior of the use_referer option?

[yceruto]

I found this old issue #10049 related, but in step (3) sign in using invalid password.

[dmaicher]

To me this behaviour seems normal. The referer is stored in the session when the user tries to visit a page that requires authentication and then is redirected to the login page.

So:

1. visit /some/thing/that/needs/auth
2. not logged in yet so redirect to /login, at this point now the referer in the session is the path from 1)
3. login
4. redirect to /some/thing/that/needs/auth

I don't think there should be any referer redirect if the user visits a page that does not need authentication before actually logging in.

[yceruto]

@dmaicher thanks for taking the time to investigate this issue, BUT your steps are performed exactly as you explain, even though use_referer: false :) It's the point, so which it's the actual use case of this option?

[yceruto]

@dmaicher it's the code executed in you case.

Then the use_referer is used when the login action comes from IS_AUTHENTICATED_ANONYMOUSLY paths.

As you can see in my Step (4) the HTTP_REFERER is the /login path and according to the code, it's only used if the current referer path is not equal to the login path:

if ($this->options['use_referer'] 
   && ($targetUrl = $request->headers->get('Referer')) 
   && $targetUrl !== $this->httpUtils->generateUri($request, $this->options['login_path'])) 
{
     return $targetUrl;
}

return $this->options['default_target_path'];

therefore always returns the default_target_path. I do understand?

[dmaicher]

Ah sorry I see. I confused the option with the actual feature of using the session referer.

So it only works for use cases where the form POST comes from a different page than /login, right?

Maybe its meant to be used if you have the login form embedded in the header of your page or something. So once you logged in you get redirected back to the page where the POST came from?

[yceruto]

So it only works for use cases where the form POST comes from a different page than /login, right?

Exactly! IMO that is the unique case.

Maybe its meant to be used if you have the login form embedded in the header of your page or something. So once you logged in you get redirected back to the page where the POST came from?

Yes! so what would be the login_path in this case? :(, two login zones? it doesn't make much sense.

[fabpot]

Does #23580 fixes your issue?

[yceruto]

Yep, I think it's the only use case:

'target path as referer' => array(
    Request::create('/', 'GET', array(), array(), array(), array('HTTP_REFERER' => 'http://localhost/dashboard')),
    array('use_referer' => true),
    '/dashboard',
 ),

Thanks!

[yceruto]

However, the documentation is not clear about it, https://symfony.com/doc/current/reference/configuration/security.html#use-referer

use_referer
type: boolean default: false
If true, the user is redirected to the value stored in the HTTP_REFERER header when no previous URL was stored in the session.

it's not true always, this depend of the configured login_path option also.

Same here https://symfony.com/doc/2.0/cookbook/security/form_login.html#using-the-referring-url