After logout due to inactivity , login redirection is not right

Created on 18 December 2019, over 5 years ago

Updated 9 September 2024, 10 months ago

Steps to reproduce.
1. Create 2 user as "abc"(userid=2) and "xyz"(userid=3).
2. Set Timeout value in seconds as 60 and 5 in Timeout padding in setting form (/admin/config/people/autologout)
3. Login as "abc".
4. Do nothing for 60 seconds.
5. So Session reset popup will come for 5 seconds.
6. Do nothing for 5 seconds.
7. So after total 65 seconds you will redirect to "http://yourdomain.com/user/login?
destination=/user/2&autologout_timeout=1"
8. You will redirect to login page with logout due to inactivity message.
9. Now login as "xyz" you will redirect to "http://yourdomain.com/user/2" , where userid 2 is for "abc" . So after login as "xyz" user should
redirect to "http://yourdomain.com/user/3" instead of "http://yourdomain.com/user/2".

📌 Task

Status

Fixed

Version

1.0

Component

Code

Created by

🇮🇳India hardik_patel_12 India

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 10 months ago →
🇺🇸United States sea2709 Texas
I noticed the latest patch is applied in latest version. From my understanding, the patch allows anonymous users to redirect to a user page which has the user id parameter the same with the logged in user. I have concern about the case, for example, an admin user would like to redirect to a edit profile page of an authenticated user after the admin logs in, so the URL should be https://example.com/user/login?destination=/user/345/edit , it seems this patch forces the admin the land on his or her own user page.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024