New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When you are logged out, the URL gets lost when you log in #13441
Conversation
It won't remember any hash as the hash won't be visible in the referrer etc but it would work for most other pages. To make it work for hash it would get likely way more complicated like we would need to persist it through JS, temporarily store it somewhere and redirect accordingly. It fixes the case mentioned in the issue. fix #13328
if ($module !== 'Login' && $module !== Piwik::getLoginPluginName() && $referrer) { | ||
$host = Url::getHostFromUrl($referrer); | ||
// we only redirect to a trusted host | ||
if ($host && Url::isValidHost($host)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To increase security we could maybe do even if ($host && Url::isValidHost($host) && $host === Url::getCurrentHost()) {
but this could be maybe tricky with proxies etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isValidHost does $host === Url::getCurrentHost()
basically, so should be ok IMO
Works for me, though I think a simple solution to support the hash would be to store in the session when redirecting to login. Think it's doable @tsteur ? |
You'd just need to send the hash through JS which may be a problem or bit difficult... |
Of course, wasn't thinking... I guess it could be sent through a custom query param when logging in, but that might be too much work, and maybe a security risk. |
I shall be blunt: not handling the hash makes this a non-fix. The pages that I believe people spend almost all their time on depend fundamentally on the hash, and you’re effectively not on the same page at all if the hash is lost. The correct fix is to stop using the hash, and put everything in the query string (using history.pushState to manage it all from the client). |
@chris-morgan we will maybe in Matomo 4 or at some point stop using the hash but we can't easily do it as it requires changing quite a bit of code through our big codebase and couple plugins. |
It won't remember any hash as the hash won't be visible in the referrer etc but it would work for most other pages. To make it work for hash it would get likely way more complicated like we would need to persist it through JS, temporarily store it somewhere and redirect accordingly. It fixes the case mentioned in the issue. fix #13328
* Add reports dimensions to metadata of report and rows * translate dimension columns * updates test files * fix possible error when no report is available * update tests * Improve subdimension detection * Adjust tests for labelX logic * Makes flattener compatible with 3 dimensions * Adds new method getThirdLeveltableDimension to report class * Do not ask for 2fa authentication code when CoreUpdater is being requested (#13796) Could fix an edge case where user is logged in, but hasn't confirmed the auth code (so the user is not actually logged in), and then an update appears. * Added Fallback Method for Alexa in SEO Plugin (#13552) * added fallback method for Alexa, fixes issue #13427 * do not use short array syntax for consistency with other methods * use mini link for Alexa, use DomXPath to filter out the global ranking instead of regex * Use db sessions by default, deprecate file session handler (#13540) * use db sessions by default, deprecate file session handler * trying to fix tests * Prevent trigger errors on demand for instances that are opened to anonymous (#13535) fix #13513 * Remove the previous exception in base validator so the same error is not printed twice (#13801) * Fixing build (#13802) * update submodule * Update screenshots and try to get test to pass. * Get SingleMetricView to pass. (#13803) * Quickform2 throws warnings with PHP7.2 (#13463) fixes #13272 Haven't actually tested it but should fix the issue. If tests pass, the logic would be still the same. I don't have a PHP 7.2 running here otherwise at the moment * Send bulk requests in chunks when needed (#13444) * send bulk requests in chunks * send requests correctly * Make log and report data screen less technical (#13464) * When you are logged out, the URL gets lost when you log in (#13441) It won't remember any hash as the hash won't be visible in the referrer etc but it would work for most other pages. To make it work for hash it would get likely way more complicated like we would need to persist it through JS, temporarily store it somewhere and redirect accordingly. It fixes the case mentioned in the issue. fix #13328 * show full information of URL only on extra click (#13585) * Add option to opt in to use send beacon (#13451) * Add option to opt in to use send beacon * Fix JS tracker test. * do not overrwite existing subrow metadata * update test files
It won't remember any hash as the hash won't be visible in the referrer etc but it would work for most other pages.
To make it work for hash it would get likely way more complicated like we would need to persist it through JS, temporarily store it somewhere and redirect accordingly. It fixes the case mentioned in the issue.
fix #13328