CPS Authentication URL's


Status
Not open for further replies.

ramriot

Well-known member
May 24, 2018
134
15
Hi Steve,

A quick observation of the format of the CPS 302 redirect the client gets from your server. The current format is:-

https://sqrl.grc.com/?sqrl/authenticate/&token={unique_token}

This appears odd to me because you have a question mark in the middle of what looks like a path designation, then an ampersand for an additional query parameter where there was no first parameter. Should not the format be:-

https://sqrl.grc.com/sqrl/authenticate/?token={unique_token}

Just my 2c for today.
 

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
Hi Gary!
We have many different SQRL clients and servers and website running around now. So it's always best to fall back to the reference trio of GRC's client, GRC's server and GRC's website. If you try the same thing authenticating to https://sqrl.grc.com/demo I think you'll see the clean, sparse, minimal and sane format you would expect from me: https://sqrl.grc.com/auth.test?{unique_token}.

What you're seeing is what Rasmus Vind configured to suit his needs for authentication under XenForo and PHP. The SSP API is able to accommodate multiple different CPS authentication formats within a single domain. I'm using one for the /demo and /msa pages and Rasmus has his own for these forums. In his case, the weird format is the result of the way the Zend PHP framework handles "routing" (whatever that is). <g>
 

ramriot

Well-known member
May 24, 2018
134
15
What you're seeing is what Rasmus Vind configured to suit his needs for authentication under XenForo and PHP. The SSP API is able to accommodate multiple different CPS authentication formats within a single domain. I'm using one for the /demo and /msa pages and Rasmus has his own for these forums. In his case, the weird format is the result of the way the Zend PHP framework handles "routing" (whatever that is). <g>
I suspected as much, being an old hand here, I still find LAMP based CMS' page routing is always an oddity. Each platform attacks it its own way, usually starting from a .htaccess catch all rule to send everything after the designated root as an internal hidden path= etc. GET parameter to the fronting file (usually index.php). For myself I always try and make the paths look rational so that SEO is not affected & attackers don't get hints to the internals.
 
Status
Not open for further replies.