MISC-7: LoginRadius will redirect users back to WWW

Issue Information

Issue Type: Bug
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: Miscellaneous (MISC)
Resolution: Fixed (2017-07-06 10:17:24)
Affects Version: Bentasker.co.uk via Tor,
Target version: Bentasker.co.uk via Tor,

Created: 2015-05-22 16:20:19
Time Spent Working

The social media login features provided in the shop section by LoginRadius will result in a user attempting to login via the .onion being redirected back to https://www.bentasker.co.uk

The cookie set on landing will be issued by the www-front so won't be valid if the user then switches back to the onion.

So there are essentially two issues here

- User can get redirected to the clearnet without warning
- Social media login doesn't work on the .onion

As a precaution against the former (my bigger concern) I'm going to temporarily block the shop section (with an appropriate message) for the .onion.

Issue Links

Toggle State Changes


Access blocked with the following location statement
    location ~ /shop {
        try_files /noexist /shpblock.html;

Response is
ben@milleniumfalcon:~$ GET -Sse http://6zdgh5a5e6zpchdz.onion/shop
GET http://6zdgh5a5e6zpchdz.onion/shop
200 OK
Connection: close
Date: Fri, 22 May 2015 15:43:10 GMT
Accept-Ranges: bytes
Server: nginx
Content-Length: 1936
Content-Type: text/html
Last-Modified: Fri, 22 May 2015 15:37:26 GMT
Client-Date: Fri, 22 May 2015 15:43:10 GMT
Client-Response-Num: 1
Link: <http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/main.css>; media="all"; rel="stylesheet"; type="text/css"
Link: <http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/nav.css>; media="all"; rel="stylesheet"; type="text/css"
Link: <http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/template.css>; media="all"; rel="stylesheet"; type="text/css"
Link: <http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/media_queries.css>; media="screen"; rel="stylesheet"; type="text/css"
Link: <http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/theme_blue.css>; media="all"; rel="stylesheet"; type="text/css"
Link: <http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/print.css>; media="print"; rel="stylesheet"; type="text/css"
Link: <http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/custom.css>; rel="stylesheet"; type="text/css"
Link: <http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/custom_white.css>; rel="stylesheet"; type="text/css"
Title: .onion access to the shop temporarily suspended

<title>.onion access to the shop temporarily suspended</title>
<link rel="stylesheet" href="http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/main.css" type="text/css" media="all" />
<link rel="stylesheet" href="http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/nav.css" type="text/css" media="all" />
<link rel="stylesheet" href="http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/template.css" type="text/css" media="all" />
<link rel="stylesheet" href="http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/media_queries.css" type="text/css" media="screen" />
<link rel="stylesheet" href="http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/theme_blue.css" type="text/css" media="all" />
<link rel="stylesheet" href="http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/print.css" type="text/css" media="print" />
<link rel="stylesheet" href="http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/custom.css" type="text/css" />
<link rel="stylesheet" href="http://static.6zdgh5a5e6zpchdz.onion/templates/joomspirit_76/css/custom_white.css" type="text/css" />
<h1>.onion access to the shop temporarily suspended</h1>
<img src="http://static.6zdgh5a5e6zpchdz.onion/images/eagle_black_large_trans.png" style="float: left; margin: 5px; max-width:100px; />
<div style="float: left"><p>The shop section isn't currently ready to work via the .onion address.</p>
<p>There are a few features within this section which may redirect you to the www. site without warning. As a precaution I've temporarily blocked access for the .onion site
(though you can still access across the www.)</p>
<p>For more information, see <a href="http://projects.bentasker.co.uk/jira_projects/browse/MISC-7.html">http://projects.bentasker.co.uk/jira_projects/browse/MISC-7.html</a>
<p><a href="/">Back to Site</a></p>


I suppose I should probably think about returning an appropriate response code as well though.
Before deciding how best to fix, it's probably worth deciding if it's worth fixing

I don't want to leave the shop section blocked indefinitely, but would unblocking it and disabling social media logins for the .onion be a better option? Not sure of the mechanism to do so yet, but if I could disable loginradius solely for the .onion it's probably a good improvement for privacy.

How many people are likely to visit the site via the .onion and yet be willing to let a 3rd party link their Twitter (or whatever) account to a visit to my site (onion or otherwise)?

On the other hand, though, disabling loginradius on the .onion means another difference between the onion and www-front that I'll need to maintain.

Needs thought.....
At the moment, this is probably largely moot.

The shop section has been read-only since the VAT MOSS changes earlier this year, so currently noone can log in, with social media or otherwise.

On the other hand, if the planned changes come into effect in January, I'll have to do MOSS stuff for offline sales/contracts anyway, so may look at re-opening the shop (as the extra MOSS overhead will be present and inavoidable at that point).

I'll leave this issue open for the time being, but can probably start to think about removing the block as the reason for it's implementation is no longer present. Just need to remember come January so that it can either be re-blocked, or the issue with LoginRadius resolved.
This has effectively been fixed.

I closed the shop section down quite some time ago, so have now moved it to being a collection of static pages, so loginradius isn't present on the site at all.

The archives can be accessed via Tor - http://6zdgh5a5e6zpchdz.onion/shoparchives
btasker changed status from 'Open' to 'Resolved'
btasker added 'Fixed' to resolution
btasker changed status from 'Resolved' to 'Closed'