Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

Login URL Parameters Reported as Security Threat

Written By

Balázs Létai

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • Vulnerability Assessment and Penetration Testing (VAPT) reports the parameters passed in the login request as a security threat.
  • How can these parameters be removed or mitigated?

Environment

  • Liferay DXP 7.4+

Resolution

Liferay DXP uses specific URL parameters for the LoginPortlet to manage different aspects of the login process. These parameters, including p_p_idp_p_lifecyclep_p_statep_p_mode, and _com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName, are essential for identifying the portlet, handling its lifecycle and state, and determining the MVC render command. The saveLastPath configures whether to save the last path or not. This is optional and affects specific functionality.

The following files within the login-web module handle different aspects of the login URL parameters, from setting them up to processing them during login actions:

  1. LoginUtil.java: This utility class has methods related to handling login operations, such as getLoginURL which sets parameters like saveLastPath and mvcRenderCommandName.
  2. LoginMVCActionCommand.java: This class processes login actions and directs the parameters accordingly.
  3. LoginPortlet.java: The main portlet class for handling the login portlet.

While there is no out-of-the-box way to completely remove these parameters, you can implement the following workarounds to mitigate the security concerns:

  1. Custom Login Page with URL Rewrite:

    1. Create a custom login page.
    2. Add the Liferay Sign-In portlet to your custom login page.
    3. Set the auth.login.url property in your portal-ext.properties file to point to your custom login page. This redirects users from the default login URL /c/portal/login to your custom page, effectively hiding the default URL parameters.
    4. Configure rewrite rules in your web server (e.g., Nginx, Apache) to redirect any requests to /c/portal/login (with or without parameters) to your custom login page. This ensures that even if someone manually enters the default login URL with parameters, they are redirected to your custom login page.

  2. Servlet Filter: Implement a servlet filter to intercept and modify login requests. The filter can remove or rewrite the parameters before the request reaches Liferay's login portlet.

Additional Information

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?