Is there a more correct way to handle redirects in authentication streams? (e.g., HTTP Status 302, or Javascript, or auto-Ubmit form)

Asked

Viewed 38 times

4

I work on a project where we have a Frontend application and a second Backend application (Nodejs) that takes care of authentication and contains a REST API. In the authentication part, Backend generates a session token and saves it to a cookie in the user’s browser. So far so good.

Now that we have the session cookie saved, we need to redirect the user to the initial URL in Frontend. The question is: is there a market practice of the best or most correct way to do this (in terms of security, mainly)? We have the options below:

  1. return an HTML with refresh meta tag;
res.set('Content-Type', 'text/html');
res.status(200).send(`
<html>
   <head>
      <meta http-equiv="refresh" content="5; URL='https://www.redirect-url.com/'"/>
   </head>
</html>
`);
  1. return an HTML that contains a script that changes the window.location.href to the redirect URL;
res.set('Content-Type', 'text/html');
res.status(200).send(`
<html>
   <head>
      <script>
         window.location.href = "https://www.redirect-url.com"
      </script>
   </head>
</html>
`);
  1. return an HTML that contains a form with attribute action configured for the redirect URL and autosubmit it when loading the page via the attribute onload;
res.set('Content-Type', 'text/html');
res.status(200).send(`
<html>
   <body onload="document.forms[0].submit()">
      <form method="post" action="https://www.redirect-url.com">
         <input type="submit" value="Submit" />
      </form>
   </body>
</html>
`);
  1. configure HTTP Status 302 (Redirect - Found) and header Location in the response for the Browser to redirect the user;
res.redirect('https://www.redirect-url.com');

// ou então...
res.set('Location', 'https://www.redirect-url.com');
res.status(302).end();

So, ignoring the issue of SEO and looking at the security perspective, market pattern and browser support, there is a more correct way to do this?

  • 1

    ERR_HTTP2_PROTOCOL_ERROR is not a "global" error, it is probably due to some server-side error (could be below) or error in some header you passed at the time of a redirect, which you should do [Edit] and add a [mcve] of the problem, with a step by step of what you have already done and explain clearly and objectively what you need. Do not delete and do not repeat the question, just edit and wait for the reopening process. Reopening (if your question is OK after editing) will be evaluated by 5 random users in the "analysis queue". Follow the tips. Thank you.

  • I believe this is a question based on opinion. But, I would use the headers (ie the 4th option). It is also the only one that would work without support for JS, ie if you make a request outside the browser.

No answers

Browser other questions tagged

You are not signed in. Login or sign up in order to post.