Unexpected behaviour of FAIL_URL LOGOUT_URL in login form.

websafe

websafe

Verified User
Joined
Jun 15, 2010
Messages
105
Location
Opole, PL
Hello :-)

I've read http://help.directadmin.com/item.php?id=61 and created an external login form.

HTML: 
<form action="http://www.yourdomain.com:2222/CMD_LOGIN" method="POST" name="form">
<input type=hidden name=referer value="/">
<input type=hidden name=FAIL_URL value="http://www.yourdomain.com/login_failed.html">
<input type=hidden name=LOGOUT_URL value="http://www.yourdomain.com/logged_out.html">
Username: <input type=text name=username>
Password:<input type=password name=password>
<input type=submit value='Login'>
</form>

And everything works fine, except this scenario:

1. Go to http://www.yourdomain.com/yourloginform.html
2. Login with existing credentials
3. Ok, you're logged in
4. Logout - You will be redirected to LOGOUT_URL, so everything is still fine.
5. Again, login with existing credentials.
6. Ok, you're logged in
7. Now do not logout in DA, just go back to http://www.yourdomain.com/yourloginform.html
and try to login with NONEXISTING credentials (for example with a wrong password)

You will see DirectAdmins loginform, redirect to FAIL_URL will not occur.

Expected behaviur: redirect to FAIL_URL.


So, the problem occurs, when the user is logged in and tries to log in again with wrong credentials.


Am I doing something wrong, or are You able to reproduce this behaviour?


TIA.
 
Looking over the code, that is how the logic is written.
Code: 
If authenticated:
   do authenticated things
else
   send error

Since you're already authenticated, the send error code is never reached.

Calling CMD_LOGIN while already logged is a difference case (essentially never used), and just shows the login page without any of the fancy options, hence the issue.

What I've done, is changed it, so that if you call CMD_LOGIN when you're already logged in, you're sent to /.
Because the main login checking code would be re-run, the session would then be reset correctly, so if the wrong password is used, you'll get the FAIL_URL as expected.
Available for next release of DA.

John
 
You must log in or register to reply here.
Back
Top