Public
New Commentator

How to include referer in login URL

I'm setting up SSO, and it's great that the `referer` value will get added to the URL I provide for our login page.  The problem is that our login page redirects to another service for setting the Lithium cookie, but it doesn't pass on the referer parameter.
So my hope is that in the login URL, I could "encode" the referer value into the `returnurl` parameter that our login system uses.
Currently I have a login url that looks like this:
https://foo.com/login?returnurl=https://bar.com/community-user-redirect
what I would really like to do is this:
https://foo.com/login?returnurl=https://bar.com/community-user-redirect%3F%0Areferer={referer}

and at runtime, when my user is on page "A", the {referer} part would be replaced with "A".  Then, after the user hits submit on the login page, it would redirect to:
https://bar.com/community-user-redirect?referer=A

Is there anything like that possible?

Thanks!

 

1 Reply 1
Khoros Oracle

Hi Mike, if you need to do multiple redirects or stages of the user flow, I recommend totally owning those steps outside the community. So you would implement a new interim location for the community to send a user to, and that request's query string will bear the community's "return" URL. From there, if you need the user to go through more steps, you'll want to pass that stateful data along in your own secure way. It's neater for your application to manage those handoffs because you can validate and secure the redirect URLs according to your own policies, and you can also update your overall flow in any future way without worrying about updating the community's configuration or sequencing the change just right across platforms.

As a rough example:

  • Community sends user to //YOURSITE/login?redirect_to=https://COMMUNITY/welcomeback/
  • You validate the redirect URL https://COMMUNITY/welcomeback/ and set it as a (trusted) property of the user's session
  • You perform a myriad of auth-related tasks, maybe bouncing through a couple URLs, and eventually, the user is logged in
  • You check for the community redirect URL, and if it is there, you set the necessary cookies and forward the user along to their final destination

Using the session is just one way to carry that state across the flow. You could also encrypt the final destination, or even pass it along via cleartext query parameters. Just make sure you've properly validated the URL before you use it.

Welcome to the Technology board!

Curious about our platform? Looking to connect on social technology? You've come to the right place!

Are you a Khoros customer? For direct assistance from our Support team, please visit the Support Forum.