Joomla! 3.4.6 redirect issue after front-end login

Joomla 3.4.6 was released this week to fix a critical security flaw. However on many updated websites, redirects after login on front-end ceased to work.

Many websites broken

Looking at automatic tests results on Perfect Dashboard, our update platform, we have noticed, that redirecting issue has broken many websites. Brian Teeman (co-founder of Joomla!), who took part in the debate about this issue on GitHub, wrote: “(...) existing web sites that were working perfectly have now been broken. There is nothing in the release notes to say that.”

What is the problem with redirect after front-end login

After logging in on a front-end of Joomla website in many cases you will get redirected to the user profile, instead of to the url you added at the 'Login redirect' option in menu item.

Since Joomla 3.4.6 redirect works only when url:

  • starts with index.php
  • is a non-sef url
  • is an internal link

In simple words, Joomla considers any redirects after login as unsafe by default.

What was the reason behind this change

In developers’ opinion this issue is a security fix, not a regression. In previous Joomla versions there was a bug, which allowed hackers to insert code influencing redirection, they explain. This bug allowed to redirect user after login through malicious use of the redirect url.

Phil Taylor (founder of myJoomla.com) wrote “(...) these might have worked in the past - but that was due to a bug in the way Joomla validated the urls. Now that security has been applied and the urls tested correctly the above examples [external urls] will fail .”

Alternative approach

Our lead developer, Piotr Moćko thinks however, that it is possible to achieve same level of security without breaking so many websites. “Existing internal links from users’ domain - even if it’s sef url - could be transformed to version required by Joomla 3.4.6 by Joomla update process” he suggests. “This would save many developers a headache”. The other point he’s making is that banning external redirects won’t improve website security much. If hacker is able to influence redirections, he is usually able to do more harmful things.

How to fix it

Since Joomla 3.4.6 it is impossible to redirect with external url without hard coding changes in the login component. As you know hard coding changes are not recommended as every update will override it. It will complicate your work in future, taking more time to prepare websites to update properly.

If you have a SEF URL in options “Login Redirect” or “Logout Redirect” in menu item type of “User Form” then you have to change it to a non-SEF URL.

redirect User after login to page 1

For example if you redirect User after login to page: /sample-sites, then you have to find a menu item with alias “sample-sites” and read it ID which is in our case = 238.

redirect User after login to page

Next change “Login Redirect” or “Logout Redirect” to “index.php?Itemid=238” and save it. Before redirection Joomla! would change a non-SEF to the SEF URL.

redirect User after login to page 3