+ Start a Discussion
jcnacjcnac 

security issue using sites

we have a case where a sites page is being used as a login screen, then internally it logs in the customer portal after. then the logout facility is used by redirecting to /secur/logout.jsp

after logout, in the URL, input the Sites URL + a VisualForce page that can only be accessed while logged in.

What happens is that SalesForce allowed the access and logs as last user that logged in.

 

example:

sites URL = https://company.na1.force.com/

after logging in, we browse through the system, let's say: the URL is now https://na1.salesforce.com/apex/SamplePage

assuming that SamplePage is one of the VF pages implemented and can only be accessed by a logged in portal user.

then click on logout -> used https://na1.salesforce.com/secur/logout.jsp

then, input in URL: https://company.na1.force.com/apex/SamplePage

The browser will redirect to the page as if the previous user is logged in.

 

after some investigation, it seems that the cookie for https://na1.salesforce.com domain is the only one invalidated and https://company.na1.force.com/ domain cookie is still valid, allowing the access to the system.

 

it seems that we need to logout by redirecting to https://company.na1.force.com/secur/logout.jsp too to invalidate both cookies.

 

My idea is on click of logout, it will redirect into a blank VF page that logs out using https://company.na1.force.com/secur/logout.jsp in an iFrame, then, redirect to https://na1.salesforce.com/secur/logout.jsp

 

Do you have any better ideas?

Best Answer chosen by Admin (Salesforce Developers) 
BulentBulent

partially. Logout terminates the session (and clears the cookie) for the domain it's called from.

 

go with option 1. Option 2 doesn't make sense (you are already logged in to portal when you login with sites, no need/benefit to login again) 

All Answers

BulentBulent

Let's clarify the flow first:

 

1- sites URL = https://company.na1.force.com/ 

>>Is this a developer edition org (company-developer-edition.na1.force.com)? or Sandbox. The url format doesn't seem to be correct for any edition 

 

 

2. after logging in

>>login via portal login or login via sites login? 

 

 

3. we browse through the system, let's say: the URL is now https://na1.salesforce.com/apex/SamplePage

>>this url tells me you login via the portal login page not the sites login 

 

4. assuming that SamplePage is one of the VF pages implemented and can only be accessed by a logged in portal user. 

then click on logout -> used https://na1.salesforce.com/secur/logout.jsp

>>this url tells me you are not in sites context. 

 

 

5. then, input in URL: https://company.na1.force.com/apex/SamplePage

>> if the above steps are correct this should not happen. Since you never logged in via the sties login page 

 

 SID cookie is set at the domain level. Since we are talking about two different domains (salesforce.com and force.com) loggin in via one of them should not effect the other.

 

can you clarify your flow? 

 

jcnacjcnac

Thank you for the reply

 

1- sites URL = https://company.na1.force.com/ 

>>Is this a developer edition org (company-developer-edition.na1.force.com)? or Sandbox. The url format doesn't seem to be correct for any edition 

- the URL is sandbox URL. we are using this format: https://<company>.<sandbox>.<server>.force.com/0

 

2. after logging in

>>login via portal login or login via sites login?

- we login our system using a custom login VF page accessed usings Sites. let's name the VF page: LoginSite.page

it has a controller (LoginSite.cls)  that logs in using Site.login() function. and redirects to another VF page stated in the URL passed as a parameter in Site.login() function. lets call the VF page that opens after login in Sites AfterLogin.page.

the VF AfterLogin.page has a controller (AfterLogin.cls) that logs in the our Customer Portal by redirecting to the Customer Portal URL: https://na1.salesforce.com/secur/frontdoor.jsp?sid=<System.UserInfo.getSessionId()>orgId=<orgId>&portalId=<portalId>

 

3. we browse through the system, let's say: the URL is now https://na1.salesforce.com/apex/SamplePage

>>this url tells me you login via the portal login page not the sites login 

- Yes, on this step, the user is browsing through the VF pages using the Customer Portal Login

 

4. assuming that SamplePage is one of the VF pages implemented and can only be accessed by a logged in portal user. 

then click on logout -> used https://na1.salesforce.com/secur/logout.jsp

>>this url tells me you are not in sites context.

- Yes, we are not on Sites' context, we use the relative path /secur/logout.jsp in logging out. since the User is currently on the Customer Portal domain, it executes the logout using https://na1.salesforce.com/secur/logout.jsp

 

 

5. then, input in URL: https://company.na1.force.com/apex/SamplePage

>> if the above steps are correct this should not happen. Since you never logged in via the sties login page 

- inputting https://<company>.<sandbox>.<server>.force.com/apex/SamplePage lets the user access the VF page since the user is only logged out / invalidated based on the Customer Portal domain (na1.salesforce.com) and not in SItes Context.

 

 

SID cookie is set at the domain level. Since we are talking about two different domains (salesforce

BulentBulent

Why are you authenticating users twice? once on force.com domain and once on salesforce.com domain.

as you said your flow only logging them out at the domain they are in - in your case salesforce.com -  but not the force.com, as it's supposed to.

 

I'm not sure why you are doing this but if you must then you need to call logout.jsp fro both saleforce.com and force.com context. 

jcnacjcnac

We have additional logic for authenticationg users. the AfterLogin.page serves as the decision point that either logs the user in the Customer Portal or redirect the users into an UnableToLogin page.

 

Since we need to login on Sites and Customer Portal both, is there a "best practice" approach in handling the case?

I am thinking of 2 possible workarounds, and I am not sure if it will work:

1. the workaround I posted on the first post.

or

2. maybe we can logout the Sites right before logging in the Customer Portal: using the same concept as I stated in first post, logout the Sites page using an IFrame before logging in Customer Portal.

 

Any suggestion will help. Thank you.

BulentBulent

I don't think your second suggestion (logout from sites first then login to portal) would work. Sites logs you in to portal, and you are using the user session id to log them to portal and if you logout first then the session id won't be valid.

 

You can create a site page and set the portal logout url to this page so when you are in portal and when you logout first  it logs you out from portal (na1.salesforce.com) and then this page could call the logout.jsp in the site domain and clear the cookie from the sites domain.

 

I am still questioning your extra logic to authenticate twice. Do you log out user if they can't pass the criteria after the first login? You authenticate them the second time or not they are already logged in to portal via the first login and they can just type the page name and see the page - same profile, same portal, the only difference is the domain name.

jcnacjcnac

Thank you for the suggestion.

 

It seems that we do not logout the first Login (Sites). We need to authenticate the user the second time because we implemented additional logic before logging in that requires us to retrieve records in our Custom Objects.

 

First authentication:

Username and password combination to login to Sites.

 

Second authentication:

We check the record retrieved in a custom object (the object is accessed using the rights of the Sites user profile).

 

If it matches, only then the user will be given the rights (customer portal user profile) to access the system and its objects. We do this by redirecting to the Customer Portal URL + sid + orgId + portalId parameters.

 

 

Is there something wrong with the implementation? or are there better ways of implementing an additional login logic?

 

One more thing, in the Sites setup, we specify the VisualForce pages that Sites can access, as well as those VisualForce pages that the Sites User Profile can access.

However, in our case, wherein we can successfully logout the domain for the Customer Portal but we failed to invalidate the cookie for the Sites domain, and then we enter a value in the URL: <Sites URL> + /apex/<VisualForce page that Sites cannot access>, the user is still redirected to the correct page eventhough I expect that an error: Insuficient Priviledges to appear.

I am a bit confused since I am thinking that we logged out the Customer Portal but we didnot logout Sites. But since it Sites that is not logged out, it should have limited/different rights, therefore it cannot access those VF pages that the Sites do not have access to.

 

More clarifications:

Do Sites.login() is used in logging into Sites only?

Is redirecting to the Customer Portal URL + sid logs in to the Customer Portal automatically?

 

Thank you for your time.

BulentBulent

Sites is for anonymous access. When you need to authenticate your users via sites, sites provides integration with customer/partner portal products.

You can find more details on this topic in this article.

 

Once you authenticate users via sites they become portal users and they are logged in to the portal (that is associated with your site) and you can still keep the site url. But they are no longer bound with the site profile (public access settings), these authenticated users have their own portal profiles.

 

so in your case after the first login they are already logged in to portal with all the access they can get via their portal profile (site profile is not valid), so the second authentication is not relevant.

 

You might want to check your custom logic after the first login and if it fails log the user out and it passes do nothing. 

Message Edited by Bulent on 02-16-2010 07:14 PM
jcnacjcnac

After reading the article and some testing, I think the problem is that we redirected on the Customer Portal Domian (https://<server>.salesforce.com/) and passed the session Id that came from the first Login. It caused for a new cookie to be created with a different domain that stores the session id. Then the logout only invalidates the cookie with the domain: <server>.salesforce.com, and not the sites domain.

 

because of this, I have 2 options:

1. implement the correct login practice wherein I do not have to redirect to <server>.salesforce.com domain

2. implement a VF page that will invalidate the cookie with Sites' domain. this VF page is called on the via logout URL setting in Customer Portal, so that right after the Customer Portal logs out (invalidating the cookie with the Customer Portal domain), the VF page that invalidates the cookie with the Sites domain will run.

 

Is my understanding correct?

BulentBulent

partially. Logout terminates the session (and clears the cookie) for the domain it's called from.

 

go with option 1. Option 2 doesn't make sense (you are already logged in to portal when you login with sites, no need/benefit to login again) 

This was selected as the best answer
jcnacjcnac

Thank you for all the help.