Currently my client have 2 websites, for example: abc.com and us.abc.com. They want that everytime an user from US access abc.com, he/she will be redirected to us.abc.com. That can be solved very easy, however after solved that issue, I have ran into another issue related to Facebook.
That's when an user browse abc.com and they click share facebook button somewhere in the website, what was shared is always what appear in the home page of us.abc.com.
What I think is that because Facebook server is in US, so when facebook made the request, it was redirected to us.abc.com => Cause the issue.
Are there anyway to white list facebook request and skip it from the redirect rule ?
Yes, you can detect that Facebook is making a request. You can do this by using the request headers, as explained in the question How to recognize Facebook User-Agent
.
Based on those user-agent strings, you can decide wether to redirect.
Related
I have Wordpress blog and I want to share my post blog automatically in my Facebook Fanpage.
I using NextScripts: Social Networks Auto-Poster plugin and insert App ID and App Secret (I'm already register in developers.facebook.com). But when I click Authorize Your Facebook Account, I get error that said:
"Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings."
I'm already search answer in google, but still not able to fix it.
such as do this in developers.facebook.com account:
Use Strict Mode for Switch URIs => Turn off (but cannot turn it off)
Insert https://www.example.com/auth/facebook/callback into Valid OAuth URI redirect (not solving my problem, having another error : URL Blocked)
Is there any way to fix it? I only want to share my blog post automatically to save time, just it. Any help is very appreciated, Thank you.
As part of user flow on my site, user is redirected to a different domain that is not under my control, where he logs in and is then redirected back to my site.
Google analytics fail to correctly display the user flow, showing the callback URL as a new landing page, which is obviously wrong.
I am considering rewriting referrer on the callback page, but it seems like a very hacky solution to a common problem.
Is there a standard way to connect the flow after a redirect?
You must enter the domain of that site in the Referral exclusions list in the Properties settings.
Can someone explain what the Callback URL is and what exactly it's used for?
I'm setting up Social login for my WordPress website and in Facebook and Twitter it asks for a callback URL.
At the moment i have left these blank and it works fine but was wondering what exactly are they used for?
I've read on other websites that it should be set like this:
http://mywebsite.com/user/facebook/login
But I don't understand what to use it for.
Is it to redirect the user to your site after they login via their social accounts? If that's the case, doesn't it do that without a callback URL?
Is it to redirect the user to your site after they login via their social accounts?
Yes.
If that's the case, doesn't it do that without a callback URL?
How would it know where to redirect back to, if that information wasn’t passed to it in the first place?
The callback URL is passed as a parameter in the login dialog call. That allows the login provider to a) redirect back to the app, and b) check if the app is even allowed to perform login under that URL.
For a web app I want to let users review and edit a record they made previously through a browser form. In their confirmation mail, they get an access link with a secret token, like http://myapp.com/edityourstuff/hdD8sF2m Clicking this link shows them a form in which they can edit the existing data they submitted earlier.
This is not as secure as a username/password combination, but much more convenient and suitable for my situation.
However, I want to make this as secure as possible.
GET URLs
If the link containing the secret access token is disclosed, unauthorised people can access the data. My concern here is about shared/public computers.
I was planning to tackle this problem with the following pattern:
Access to /edityourstuff/ds8sdfhe via link in email
Start a session, store the secret token in there
redirect to clean /edityourstuff without token
The app now has access to the token in the session and can display the form accordingly. And the URL bar does not show it.
My question now is: Do browsers store the initial URL, that immediately redirects to the clean URL in their history?
I know that the different HTTP redirect status codes (301, 302, 303) have different use cases in theory. Is there any information on how different browsers treat the different redirect codes in respect to (not) storing the initial URL in browser history?
I just did some quick testing myself, with Firefox 7.0.1
When using the above pattern, no matter if 301, 302 or 303 redirect, Firefox does not return to the initial URL when clicking the back button. However, it is shown in the full browsing history and is part of the URL completion list of the browser bar.
This is exactly the drawback I was hoping to avoid.
I have a login page and users from different domains are redirected to this page for the purpose of SSO. I use the referrer HTTP Header field to know where the user has come from, thus on successful login, I return him/her back to his/her original domain.
But sometimes my referrer is not set, while other times it's set. Why?
Users can come to your page using different methods:
By entering the URL of your page, directly into the address bar of the browser
By clicking a link to your site from another site
By reloading your current page
By Submitting a form on your site (sending POST request back to your site)
By navigating through back/forward buttons of your browser.
By being redirected through a previous page to the current page.
Now, browsers really differ in how and when they set referrer header field. But as a general rule, you can be sure that on link click, or on submitting a form (post request), they set referrer field. Also if you have come to the current page via a redirect or a link, browser still preserves referrer header on F5 (page reload).
If you see that your referrer field is empty, it's because someone knows your Login page URL and enters that directly into the address bar, or someone has bookmarked it, so sends a GET request.
Generally, you shouldn't always expect the referrer field, because it's outside your control. You should use cookies, or query strings, because they are under your control.
the other thing is that some user may have referer option set as disabled in their browsers as a part of browser security settings.