Jump to content

Redirect to another URL and browser cache


OpenLG
 Share

Recommended Posts

Hi,

I have a couple of restricted templates using the "Redirect to another URL" if the user doesn't have access. I redirect to a custom login page with the {id} tag. On successful login the user then gets redirected to the page he/she was trying to access in the first place (if the user in question has access to the page). You probably get the point.

I now have a user who gets the "too many redirects" browser issue. I haven't been able to reproduce this so it's too early to draw any conclusions.

Anyone else having similar issues?

Also pw seems to always redirect with a HTTP 301 internally, i.e. the "Redirect to another URL" functionality, and these are cacheable in the browser (http://en.wikipedia.org/wiki/HTTP_301). PHP does however by default add headers that should make the browser not use cache: the no-store, no-cache, expires etc. This would effectively make the 301 (permanent redirect) behave like a 302 (temporary redirect), however the browsers have as far as I know have not been particularly good at following the recommendations regarding cache headers.

Is there a reason for always using 301, in the pw core?

Link to comment
Share on other sites

There's another parameter for PW's redirect function if you're using that in module code or a template to make it redirect with a 302 instead. Is it in a module or template that you're redirecting or are you talking about PW in general?

Link to comment
Share on other sites

Yes I know of this parameter and my code always use the second parameter for 302s but I'm talking about processwire itself. My code is so far only in templates, no custom built modules.

If you do a

grep -R 'redirect(' ./

in the processwire root dir, you will find a lot of examples. The functionality I'm referring to is under the "ACCESS" tab in "Edit Template" with the label "What to do when user attempts to view a page and has no access?" and in code it's in one of the modules under wire/modules/Process/

Link to comment
Share on other sites

Is there a reason for always using 301, in the pw core?

We've never seen any negative side effects from using 301s, so that became the default behavior of $session->redirect(). Whereas, there can be negative side effects from using 302s on the front-end of your site (at least with regards to Google). Even if that reason doesn't matter on the admin side, most redirects that PW does internally I would still call fitting the permanent designation, semantically. Though if a browser/software did start applying that literally to just a URL in our context (as opposed to a URL+POST) then we'd be forced to use 302s in some instances.

On successful login the user then gets redirected to the page he/she was trying to access in the first place (if the user in question has access to the page).

This one might make more sense as a 302, I agree.

I now have a user who gets the "too many redirects" browser issue. I haven't been able to reproduce this so it's too early to draw any conclusions.

I've not seen this before, but please let us know what you find.

Link to comment
Share on other sites

Thanks for your input ryan. Imagine the following scenario:

I have a page with a template that requiers the admin role (with the "Redirect to another URL" set).

  1. The page is visited while not logged in (role = guest?)
  2. User gets redirected with a 301 to a noaccess page
  3. User then logs in with the admin account (or an account that has the admin role)
  4. User visits the page again but since the previous 301 was cached in the browser it instead visits the noaccess page

This was my line of thinking. Sorry for dragging this out but I just want to make sure my point comes across. My point being that if you do a redirect based on some conditional (hasRole('admin') etc.) a 302 might be more suitable since the conditional might return different results from time to time (a user might get stripped of his/her admin role privilege).

As far as SEO goes I do get that 301s are a useful but this isn't about that.

Link to comment
Share on other sites

User visits the page again but since the previous 301 was cached in the browser it instead visits the noaccess page

Is this what you think happened in the case you mentioned? I can't say as though I've witnessed that behavior, but let me know if you are able to reproduce the redirect loop--it seems plausible in the situation you mentioned.

As far as SEO goes I do get that 301s are a useful but this isn't about that.

301s are useful, but 302s can also be dangerous if used in the wrong place. I was stating this just to clarify why 301 is the default behavior of the $session->redirect function, and why you have to specify a second bool param if you specifically want a 302.

Link to comment
Share on other sites

  • 7 years later...

I came across this post because I had this redirect problem in a production environment. I could reproduce this in Firefox. The problem also occurs in IE.

I have a template that can only be viewed by users with a specific role.
Based on the template settings, an unregistered user or a user who does not have the required role will be redirected to a different URL (301).
This is done by ProcessPageView::execute().
If the user tried to access the page before logging in and therefore has been redirected once, the redirect will also be performed when the user is logged in later because the browser has cached the redirect.

Possible solutions:

  • Add a unique GET parameter (such as a timestamp) to the URL in the link.
  • Trigger the redirect via API in the template file:
    $session->redirect('/targeturl/', false); // 302

     

  • Paste this hook into your init.php
    wire()->addHookBefore('Session::redirect', function($e) {
    	$url = $e->arguments[0];
    	if ($url == '/login/') $e->arguments(1, false); // change to 302 if target is /login/
    });

 

  • Like 2
Link to comment
Share on other sites

8 hours ago, kixe said:

Based on the template settings, an unregistered user or a user who does not have the required role will be redirected to a different URL (301).

That sounds like an issue that should perhaps be fixed in the core - when redirecting due to lack of access I don't think this should be permanent redirect because as you say the user may just need to log in and then they should have access. Maybe you can create a GitHub issue for this to get Ryan's take?

  • Like 2
Link to comment
Share on other sites

9 hours ago, Robin S said:

That sounds like an issue that should perhaps be fixed in the core - when redirecting due to lack of access I don't think this should be permanent redirect because as you say the user may just need to log in and then they should have access. Maybe you can create a GitHub issue for this to get Ryan's take?

I don't think this is a PW issue. I am playing around a bit with this behaviour. The problem is, browsers does not handle this consistent and there does not exist a proper status header. Something like a combination of 401 and 302 (e.g. "Moved Login required") would match this situation. Browsers should never cache those redirects and search engines should handle this also without disadvantages. This does not exist.

Another workaround without redirect should work with the following hook in init.php

// render login for guest users trying to access a disallowed page without redirect
wire()->addHookAfter('ProcessPageView::ready', function($e) {
	if ($this->wire('user')->isSuperuser() || $this->wire('user')->hasRole('client')) return;
	$pid = $this->wire('page')->id;
	$disallowedPageIDs = array(1582, 5584, 5342, 1133, 1607, 5374, 6075, 6605);
	if (in_array($pid, $disallowedPageIDs)) {
		$login = $this->wire('pages')->get('/login/');
		$this->wire('page', $login);
	}
});

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...