Customizable redirection via session: unsecure and can be improved?

Question

I am modifying Opencart which contains several modules represented by PHP pages. However my question applies to any case that involves the following. So no need to make this an opencart specific question.

I wish change the way one module/PHP page redirects after it has done it's work.

What I have done is modified the module in question to process a session variable to modify the URL to be redirected to.

Custom page

if ( !$this->customer->isLogged() ) {
    $this->session->data['redirect'] = $this->url->link('account/blah');
    $this->redirect($this->url->link('account/register', '', 'SSL'));
}

Page where redirection has been modified

if (isset($this->session->data['redirect'])) {
    $this->redirect($this->session->data['redirect']);
}

It works but I do not feel it is secure. What could be done to improve it ?

P.S: Here's how redirection is actually handled in opencart.

protected function redirect($url, $status = 302) {
    header('Status: ' . $status);
    header('Location: ' . str_replace(array('&amp;', "\n", "\r"), array('&', '', ''), $url));
    exit();             
}

There is http code 307, which tells browsers to do a redirect using the same request method used which caused the 307, but it's not widely supported due to various potential security problems. — Marc B, Jun 05 '13 at 19:37
This is not a POST. This is a redirect header based on Session data. If the initial request was a POST, the redirect will also be a post. — nl-x, Jun 05 '13 at 19:38
You are right. I confused myself into thinking about a POST because of the fact that it triggers everything on the first page. It's only then that a session variable is used. Question edited. — James P., Jun 05 '13 at 19:44

score 1 · Answer 1 · answered Jun 05 '13 at 19:48

1

Unsecure ? Why ? Does the user can modify the content of $this->session->data ? If not, I would think it's "secure", in the sense that there is no injection possible... that being said, I don't know the internals of OpenCart.

If you want to make a redirection that is NOT specific to open cart, you'll need to use the header() function of PHP, or http_redirect().

answered Jun 05 '13 at 19:48

FMaz008

11,161
19
68
100

I don't know. Would it be possible to modify the session data ? – James P. Jun 05 '13 at 19:49
About the redirection, the idea is for page A to tell page B where it should go after it has done it's work. – James P. Jun 05 '13 at 19:50
1

@JamesPoulson No, clients cannot modify your session data. They can however try to hijack someone else's session if your sessions aren't secure enough. (For example, some client manages to get someone else's sessionID.) – nl-x Jun 05 '13 at 19:53
Interesting comment about sessionID. I will look into it :) – James P. Jun 05 '13 at 19:53
1

@JamesPoulson Here's something on preventing session hijacking: http://stackoverflow.com/questions/12233406/preventing-session-hijacking . – nl-x Jun 05 '13 at 19:56

score 1 · Accepted Answer · answered Jun 05 '13 at 19:50

1

In general, you have the following ways to do an automatic redirect on load:

HTTP header from a server side script such as PHP header("Location: http://www.example.org/bar");
HTTP Meta refresh <META HTTP-EQUIV=REFRESH CONTENT="1; URL=http://www.example.org/bar" />
Javascript window.location.href = 'http://www.example.org/bar';

But there are also some other ways such as using some applet such as Flash or Java. But don't rely on these as most browsers have popup blocking mechanisms that might prevent such redirects.

There is not much to say about security, other than that the order to redirect comes from the server and that the client is supposed to follow that order. But the client always just might NOT listen...

All you need to do as developer is to NOT give any more data than what is needed for the redirect. So for example, in PHP, after using header("Location: http://www.example.org/bar");, be sure to also do exit(); so the rest of the PHP isn't also parsed to the HTML and sent to the client.

answered Jun 05 '13 at 19:50

nl-x

11,762
7
33
61

Thanks for the tip about using an `exit()` :) . – James P. Jun 05 '13 at 19:52
@JamesPoulson Is your question answered? – nl-x Jun 06 '13 at 09:07
1

I wouldn't use meta as it's not really the purpose and I wouldn't be suprise to see it deprecated eventually. And I would favor PHP over Javascript when possible, since it's server side, hence more secure ( as it seem to be a concern of James. exit() or die() is a good recommendation. – FMaz008 Jun 07 '13 at 04:15
@nl-x It is :) . So the conclusion is that using sessions are ok. That will save a lot of hassle. Answer accepted. – James P. Jun 07 '13 at 05:13
I've added the code that opencart uses for redirection. It uses an exit(). – James P. Jun 07 '13 at 09:55

Customizable redirection via session: unsecure and can be improved?

2 Answers2