Geek Answers Handbook

PHP: returning the user to the original page after logging in

Are there any "best practices" as to how to return the user to his original page after entering your site, in particular in PHP? for example, if I look at the StackOverflow question when you are not logged in, how would you guarantee that I will return to this question if I log in?

From my research, there seems to be a lot of advice around the $ _SERVER ['HTTP_REFERER'] variable. Basically, you take note of the referent and store it in the session, and then redirect it back to this page when you're done.

The problem is that HTTP_REFERER is unreliable at best.

This is set by the user agent. Not all user agents will install this, but some provide the ability to modify HTTP_REFERER as a function. In short, one really cannot be trusted. - [ http://php.net/manual/en/reserved.variables.server.php]

Any changes to the abstract to redirect to other areas of the site will be processed using routine permission checks. If the referent falls, it can be decided to simply redirect the user to the main page of the site, and not to the page from which they came. This seems like a useless user hostile though, and I was hoping there would be a better way to handle this.

+4
source share
4 answers

On the login page:

<form action="controller/LoginController" method="post"> <?php if (isset($_SERVER['HTTP_REFERER'])) { echo '<input type="hidden" name="l" value="'.htmlspecialchars($_SERVER['HTTP_REFERER']).'" />'; } ?> <!-- the rest of the form --> <input type="submit" /> </form>

In the login controller, you take the value of $_POST['l'] and see if this URL is on your own website. If this is not the case, redirect to the default page, otherwise redirect this URL.

Make sure that on the login page, if the user is already logged in, you are redirecting the user to the home page or something like that. This will prevent incidents such as redirecting to login.

$_SERVER['HTTP_REFERER'] is the responsibility of the browser. It is also pretty reliable in most cases. If the browser does not send, or if you are worried about it, you can use the session instead.

on each page, just set $_SESSION['lastvisitpage'] to the current page URL. When you log in, you are redirected to $_SESSION['lastvisitpage'] .

Since $_SERVER['HTTP_REFERER'] can be tampered with by the user at any time, you should always consider any other user-provided variable if you avoid it.

+6
source

It would be better if you saved the last page you visited yourself, possibly with a session.

If the user first requests a page from your site, start a new session and initialize the last URI with the current URI. Update this last URI when another page is requested, until the login page appears. Now, if the authentication is successful, you can redirect the user to the URI in the last URI.

And if you have a login form on each page, use the hidden input that stores the current URI.

+3
source 
 if(user_not_logged_in()) { $link = "http://example.com/login?continue=path/to/current/page"; echo '<a href="'.$link.'">Loign</a>'; }

This is how I and sites like Google do it. You will need to make sure that you check the continue variable and clear it of strange URLs first.

Another option is to use AJAX and allow the user to log in from any page. The user is registered, you submit the form via AJAX, update when the request returns.

I think you can ask if the user clicks on the menu entry link, you automatically think that the user wants to redirect to the page on which they clicked the button. I consider this a flaw in logic. Take Stackoverflow. Just because I click on the login does not mean that I want to return to the last question.

However, there are some cases where it would be correct to assume that a person wants to go back, for example, if I raised a question and received a pop-up window in which I needed to log in. If I clicked the link there, it would be safe to assume that I want to return. But only the link to enter the navigation bar does not have such an implied value.

+1
source

I would suggest making an AJAX call to log in to the user, and if the AJAX is successful, just refresh the current page.

0
source

More articles:


All Articles