Announcement

Collapse
No announcement yet.

Invalid redirect url appearing since security patch

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Invalid redirect url appearing since security patch

    I read a solution on vb.org to "Always use Forum URL as Base Path", but this solution is for vBulletin 4, I'm still running 3.8.

    My problem is that when a user enters via http://mydown.org/forums and logges in, he will get this error notice:

    System Message

    Invalid Redirect URL (http://mydomain.org/forums/)
    However, when he then uses http://www.mydomain.org/forums in his browser, so with the www in front, he is logged in already (because the cookie is already set with the first attempt). When directly using this url for logging in, no problem occurs.

    Now this worked properly before the latest phishing security fix. After I implemented this fix, the above problem occurs.
    I told my user to use the link with the www in front, but I would rather have a good fix for this, because this has always worked as it should be.

    Next to that, on many DNS systems the www is only a cname and on some it is not even used. So how can I fix this?
    Greetings, Black Tiger

  • #2
    I'm having the same problem running Vbulletin 3.8 as well.

    Comment


    • #3
      This is probably a cookie domain/path issue. To fix this, upload the tools.php script in the 'do_not_upload' folder of the vB zip file to your Admin CP directory and run it from your browser. Use this to reset the cookie domain and path back to the defaults. And then leave your cookie domain and path at the default settings. There is no reason to change these. If you need to specify a unique cookie, use the cookie prefix setting in config.php instead.

      Comment


      • #4
        Why do you think it's a cookie domain/path issue? Nothing is changed, it worked before, and problem started after applying the security patch.
        So there is no reason to think it would be a cookie problem. The cookie path never changed and neither did any kindlike settings.

        So thank you for thinking with us, but the cause of the problem is the security patch, as is also to be seen in a couple vb4 threads.
        Greetings, Black Tiger

        Comment


        • #5
          I'll try the tools.php method. In the meanwhile though I changed the "$vbphrase[invalid_redirect_url_x]" phrase to a more informative one for my users.

          Comment


          • #6
            When correctly reading the cookie path setting, it should not be default when using domain.com and *.domain.com (f.e. forum.domain.com or www.domain.com), because in that case the correct setting should be .domain.com and not default.
            However, I've always used the default and it always worked fine so I'll wait and see if your problem gets solved by using the tools.php. I doubt it because I'm having this problem at 3 different forums, and only after applying the security fix.
            Greetings, Black Tiger

            Comment


            • #7
              Do you guys all allow users to browse your site via both www.yoursite.com and just yoursite.com? If so, you need to have the cookie domain set to be ".yoursite.com" (no quotes, but note the period at the beginning).

              Please don't PM or VM me for support - I only help out in the threads.
              vBulletin Manual & vBulletin 4.0 Code Documentation (API)
              Want help modifying your vbulletin forum? Head on over to vbulletin.org
              If I post CSS and you don't know where it goes, throw it into the additional.css template.

              W3Schools <- awesome site for html/css help

              Comment


              • #8
                Yes, at least I do. So my explanation about how the cookie domain setting should be, is correct.
                However it's strange this problem did not occur before the security patch.
                The correct setting is already the only possible setting in the pulldown menu, so it's easy to change.
                Greetings, Black Tiger

                Comment


                • #9
                  Originally posted by Black Tiger View Post
                  Yes, at least I do. So my explanation about how the cookie domain setting should be, is correct.
                  However it's strange this problem did not occur before the security patch.
                  The correct setting is already the only possible setting in the pulldown menu, so it's easy to change.
                  So you are set up correctly and your users go to sitea.com and then get a message about an invalid redirection to siteb.com (the OP used two different domain urls in describing his problem).

                  If so, try disabling your modifications/plugins and see if you still have this problem.
                  Note: To temporarily disable the plugin system, edit includes/config.php and add this line right under <?php

                  PHP Code:
                  define('DISABLE_HOOKS'true); 

                  Please don't PM or VM me for support - I only help out in the threads.
                  vBulletin Manual & vBulletin 4.0 Code Documentation (API)
                  Want help modifying your vbulletin forum? Head on over to vbulletin.org
                  If I post CSS and you don't know where it goes, throw it into the additional.css template.

                  W3Schools &lt;- awesome site for html/css help

                  Comment


                  • #10
                    No i did use the default way... which is not correct, but now just understood that it should be different in that case.

                    By the way.... Is there a way to oblige your users to use www.domain.com instead of domain.com? This way I can leave everything at default.
                    Greetings, Black Tiger

                    Comment


                    • #11
                      I found an easyer solution, just add "http://domain.com/forums" to your Redirect Domain Whitelist in the Admincp->Site/Url/Contact details.
                      Problem fixed.

                      However, an automatic redirect from domain.com to www.domain.com should be nicer.
                      Greetings, Black Tiger

                      Comment


                      • #12
                        Fixed that too. So in case you only want you users to use the www version, put a .htaccess in your public_html directory with this content:

                        Code:
                        Options +FollowSymLinks 
                        RewriteEngine on 
                        RewriteCond %{HTTP_HOST} ^domain.com [NC] 
                        RewriteRule ^(.*)$ http://www.domain.com/$1 [L,R=301]
                        Greetings, Black Tiger

                        Comment


                        • #13
                          i have also the same problem

                          i upload this vBulletin Security Patch for vB 3.8.7 : Low Risk "phishing" patch
                          after that this error is coming


                          my forum is in trouble becuase forums member facing troubling to login so help me

                          Comment


                          • #14
                            One of the above solutions should be working for you.
                            By the way... your attached picture is not working.
                            Greetings, Black Tiger

                            Comment


                            • #15
                              login.php?do=login
                              could not find phrase 'invalid_redirect_url_x'.
                              this file
                              please make soluation for me
                              Attached Files

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X