Vulnerability in EPiServer.Forms
I may not have did a proper search, but I could not find an answer to my problem. If a user does not have access to a page, they are redirected to a login page. For some reason, the login page is always in English but appends a querystring parameter of http://www.mywebsite.com/partners?ReturnUrl=%2fes-es%2f ... etc etc. The language it appends in the querystring is correct, which is "es-es" in my case. But why is the actual login page itself in English? We do have a simple address of "partners", and I was thinking maybe this is affecting it. After they login, then they are redirected back to the correct language page. It was just the login page itself I am referring to.
How would I change this? I looked in Masterpages codebehind, but I don't see where this is stored for passing the redirect page to login without the proper language. I hope I explained that properly.
The standard login page should use translation from the xml files in the lang-folder. Do you have language files with a language key that matches either es-es or just es for your site?
Yes, I do have the xml files for es and es-es. I think the problem is possibly the rewriting of the url? Instead of it being www.mywebsite.com/es-es/partners, it redirects to www.mywebsite.com/partners. There is an "es-es" page created in this language. It just doesn't use it. I'm not sure where the code is that creates this url.
I have tested some more and I think that I understand the problem now. The login page does not seem to take the language of the returnUrl into consideration. When discussing this with some of the developers here we think that it's in between being a bug or a feature request since the EPiServer login page is mostly used for the UI and it's possible to exchange that for a custom login page for the site. Could you solve this by creating your own login page? This way you can improve the user experience since the user probably want to log into the site regardless of the cms behind.
RegardsLinus EkströmEPiServer Development Team
I was hoping I wouldn't have to create a custom login page, but if that's the case then I will do that. It would've been nice, as you said possibly a feature request, to have the login page serve the returnURL language of the login page as well as add the querystring. Oh well. Thanks for looking into it! I appreciate it.