I have a few links on my page. Most of them will redirect to the homepage if the user is not logged in. Instead of doing that, I want to direct the user to the login page, then direct them to the page they originally wanted to go.
So, for example, if the user is on index.php, and clicks on page10.php without being logged in. S/he should get directed to login.php. After logging in, the website should remember that the user originally wanted to go to page10.php.
How do I do that remembering part? I understand I can use cookies and/or php sessions, but are those the most appropriate ways (in this scenario) of remembering that the user wanted to go to page10.php?
No need to use sessions or get variables, simply access the HTTP_REFERER from the $_SERVER array on your login page, set it to a hidden element in your form then after submission redirect back to that URI
Append desired URL as part of the link. So if a user is not logged in redirect him:
login.php?url=<desired_url>
read the variable on login page, and upon success direct it there instead of index.
To get the URL on the server side look at $_SERVER['REQUEST_URI']
$_SERVER manual
First, redirect to login.php?return=ORIGINAL_URL
In login.php set $_SESSION['return'] = $_GET['return'];.
After a successful login, check if there is a $_SESSION['return'], if there is, and is a valid URL, redirect to it and unset $_SESSION['return'].
That's it.
PS: The reason why you should use session is because the user may not login successfully on the first try. Or may not have an account, he may want to register first. This way he will be redirected to the appropriate page even after creating an account.
Logging a user in implies that you will be using sessions. Sessions usually use a cookie, but they can be implemented by passing a session id around in the request if you don't want to or can't use cookies.
The appropriate way to do this is to use sessions as follows:
1) The authentication check redirects to the login page
2) the login pages checks if the target page is set in the session and if it is not it sets it to the referrer
3) if the login form is valid the target page is removed from the session and the user is redirected to the original page
4) otherwise the form is redisplayed.
Related
I have a log in widget included on every page on my website. Currently when they log in, they are redirected to the home page. However I want it so when they log in, they stay on the page they are currently viewing.
On my forum you have to be logged in to post (obviously). I would like it so they will stay on the forum post they are trying to reply to after logging in, rather than having to find it again. How do I do this?
The simplest (albeit not completely reliable way is to use HTTP_REFERER and redirect to the referer page. You might need to pass this around a bit in case your login action spans multiple page.
The more proper way is to set the current (unlogged) page in session and redirect to that session value page on login.
You can bind your current page inside your login widget inside a hidden field and tell the authentication page to redirect to this binded value as a page after login success .
Or if you want to be more secure try using sessions and bing the current page inside it then extract the variable binded into this session in your authentication page then redirect to it as a valid page
and you can also check this variable if is a valid page by using file_exists so plz try that and tell me the result
It depends on the case but a couple options come to mind;
Having a redirect parameter that will redirect the user once he logs in.
Using the HTTP_REFERER to refer the user back to where he came from.
Depending on the login form; you could send an ajax request to login the user without moving him
But I think it ultimately depends on your environment and since you haven't provided any information/code other than my forum I can only be as vague as your question.
I am currently working on developing a simple web system, so an user first will be directed to a login page, then a processing page. If its account data provided is correct, it will be directed to the main page, so it can carry out some actions, at last it can logout.
So what I want to ask is: how can I prevent user to access the processing, main or logout page before they login, I mean, if I do not limit it, the login action is by some means useless. I am using wamp to develop the web system.
I have considered making use of the session variable, however, I have no idea how to check the value of the variable. If I start a session at the login page, so if I skip the login page but directed go to the main page, do I have those session variable present in the main page?
1) Add session_start(); at the top of the php page to initialize sessions.
2) Add if statement
if($_SESSION['logged_in'] == 1) { ..show page.. } else { show login page }
3) Create a login form which validates data, if data is correct then it adds $_SESSION['logged_in'] = 1; and redirects to profile page with logout button.
That's all :)!
I suggest that you check some tutorials, since it will give you some more information how to do that - http://www.intechgrity.com/create-login-admin-logout-page-in-php-w/ or any other link via google - "How to create login/logout functions with SESSIONS".
About your question, in each page you will put session_start(); at the start of the file, they will have all sessions you have specified for user.
EDIT:
Added few useful links -
http://www.php.net/manual/en/book.session.php
http://www.tizag.com/phpT/phpsessions.php/
http://www.w3schools.com/php/php_sessions.asp
well,this is what i will do. Check with an if statement if a session variable that holds, for example, the username from the login page exists, then if it doesn't show an error 404 page, or redirect the user to any error page...you might want to create that yourself anyway (so that it redirects them back to the login page).
<?
session_start();
if(!$_SESSION['username']){
header("Location: HTTP/1.1 404 File Not Found", 404);
exit;}
?>
You could also create a new file and place this code there so that you call it on everypage that will require a user to login before accessing it....
but try to access non login page for the first time then you will be redirected to login page then try to access the same non login page for the second time you'll have the access already even you didn't log-in.
I'm directing users to a page on my site from email (possibly an email client). When they reach the site they are presented with login screen and the address where they were headed is lost.
How can I capture the entire address that they were trying to visit, so that I can redirect them to it once they log in?
You need to capture the address as you redirect them to the login page, (ie when you check if they are logged in) I'd recommend storing it in a session. A very quick method would be to redirect to /login.php?from=store.php for example, however this is not the best way as the $_GET['from'] could be hijacked to redirect the user somewhere else, which is why I use $_SESSION to store this value.
First of all, I don't know much about Symfony so I will let you know what I do in PHP.
There are a few techniques I use depending on the app.
Option 1: I send the user to the page they are to log into, e.g. mydomain.com/landing.php and set a SESSION variable with the URL before redirecting to the login form. When the login is performed successfully there is a header function that will redirect to the originating page where the logged in user can now interact with the page.
Option 2: I create a login function and where there is no login SESSION or COOKIE the form is called, upon submitting the form using action="<? echo $_SERVER['PHP_SELF']; ?> I set a POST variable and before any HTML tag is called I have something like
if(isset($_POST['run_login'])) {
include('my_login_handler.php');
}
This takes care of the login activity and doesn't require any redirection to the target page as it is handled inline.
Option 3: Like option 2, I create a login function here there is no login SESSION or COOKIE, but this time I POST the data to my_login_handler.php rather than including it. Upon successful authentication to the site I call header('Location: '.$_SERVER['HTTP_REFERER']); that will redirect to the referring page meaning I don't need to set any special COOKIES or SESSION variables to handle to redirect back to the target page.
The right option, regardless if it is here or not, is going to depend on your application and what you can/need to do. So have a play with the various suggestions and see what works best in the application you're currently working on.
Good luck!
Here are my pages:
Redirect Page:
if user has an open session, redirect to the proper resource
else redirect to login page
Login Page:
if user login info is valid, redirect to $_SERVER['HTTP_REFERER']
else display login page
When you visit the redirect page, it sees that you do not have a valid session and redirects to the login page. You can then login no problems, but after authentication I receive the "This webpage has a redirect loop." page in Chrome.
It's not a true loop, since there are several ways out (IE provide valid login details and go to destination resource, provide invalid login and receive error message, etc). But I can see the browser's confusion (going from a to b to a again).
Any ideas how I can solve this problem?
Cheers
$_SERVER['HTTP_REFERER'] will always be the login page since you have to load the login page right before you successfully login. So once you successfully login, the referrer is the login page, so the login page redirects you to the login page, which you still successfully logged in, so it logs you in over and over.
Rather than relying on $_SERVER['HTTP_REFERER'] you should probably store the page they are trying to get to in either a $_SESSION or $_COOKIE variable. Most likely session will be better, depending upon your setup.
After submitting your login details, $_SERVER['HTTP_REFERER'] is going to be the URL of your login page, since the last page the user saw was the form for them to login.
Consider storing the 'redirect to' url in the PHP Session before you redirect to the login page. You could also pass it as a parameter when you redirect to the login page, but I can see that approach having potential security flaws (such as redirecting users to another site, adding fake HTTP headers etc)
My guess is:
If the user has a session, but not a valid one (e.g.: the session hash does not match), it gets redirected to the login page (since he has a session). But when he gets there, you check if he has a session, and he does (but it's not valid), so you redirect him to the index resource. There, you check if the session is valid, but it's not. So you redirect him to the login page. And so on...
How to fix it? Check for session validity (not only for existence) in both the login page and the other resources.
And of course, if the HTTP_REFERER is login, ignore it and forward to the index resource.
You should always check that the $_SERVER['HTTP_REFERER'] variable contains valid data, as it is not to be trusted since user agents provides this value.
From the php.net manual
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
You could let your login page do the redirection in one pass (without redirecting back to the "redirect page").
Are there any 'best practices' concerning how one should return a user to their original page after logging in to your website, specifically in PHP? e.g. if I'm viewing a StackOverflow question while not logged in, how would you ensure that I return to this question if I logged in?
From my research, it seems a lot of advice centers around the $_SERVER['HTTP_REFERER'] variable. Basically, you take note of the referer and store it in the session, then redirect back to that page when you're done.
The problem with this is that HTTP_REFERER is unreliable at best.
This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
— [http://php.net/manual/en/reserved.variables.server.php]
Any edits to the referer to redirect to other areas of the site will be handled by routine permissions checks. If the referer gets blanked out, it might be acceptable to simply redirect the user to the main page of the site rather than the page they came from. This seems needlessly user hostile though, and I was hoping there would be some better way to handle this.
On login page:
<form action="controller/LoginController" method="post">
<?php
if (isset($_SERVER['HTTP_REFERER'])) {
echo '<input type="hidden" name="l" value="'.htmlspecialchars($_SERVER['HTTP_REFERER']).'" />';
}
?>
<!-- the rest of the form -->
<input type="submit" />
</form>
At login controller, you take in the $_POST['l'] value and see whether or not this URL is on your own website. If it isn't, redirect to your default page, else redirect to this URL.
Make sure that on your login page if user is already logged in, you redirect the user back to home page or something. This will prevent cases like redirecting back to login.
$_SERVER['HTTP_REFERER'] is a browser responsibility. It is also most of the time rather reliable. If the browser doesn't send, or if you are worried about it, you can use session instead.
on every page simply set $_SESSION['lastvisitpage'] to the current page URL. On login then you redirect to $_SESSION['lastvisitpage'].
Since $_SERVER['HTTP_REFERER'] can be faked by a user at any time, one should always treat is any other user-supplied variable by properly escaping it.
It would be better if you store the last visited page on your own, maybe with the help of a session.
If the user requests a page from your website the first time, start a new session and initialize last-URI with the current URI. Update this last-URI whenever another page is requested until it’s the login page. Now if the authentication is successful, you can redirect to user to the URI in last-URI.
And if you have a login form on every page, use a hidden input where the current URI is stored in.
if(user_not_logged_in())
{
$link = "http://example.com/login?continue=path/to/current/page";
echo 'Loign';
}
This is how I, and sites like Google, does it. You would need to make sure that you check the continue variable and sanitize it of weird URLs first however.
Another option is use AJAX, and allow the user to login from any page. User logs in, you submit the form via AJAX, refresh when the request comes back.
I think you might be asking if the user specifically clicks on the login link on a menu, you automatically think that the user wants to be redirected to the page that they pressed the button from. This I believe is a flaw in logic. Take StackOverflow. Just because I press login doesn't mean I want to return to the question I was last on.
However, there are some instances that it would be correct to assume the person wants to go back, such as if I upvoted a question and got the popup telling me to login. If I clicked the link there, it would be safe to assume that I want to go back. But just the login link on the nav bar doesn't have that implied meaning.
I would suggest make an AJAX call to login the user and on successful AJAX response just refresh the current page.
Use PHP sessions and the $_SESSION object to define a "continue location". Here is the code I use in one of my projects. When the user is logged in, I set the $_SESSION['loggedin'] to TRUE.
Here is the code to check on a sub-page, let's call it "sub-page.php" if the user is logged in. If not, I set the $_SESSION['contloc'] to the url of the that page and redirect the user to the login page.
// We need to use sessions, so you should always start sessions using the below code.
session_start();
// If the user is not logged in redirect to the login page...
if (!isset($_SESSION['loggedin'])) {
$_SESSION['contloc'] = 'sub-page.php';
header('Location: index.php');
exit;
}
In the script where the user / password is validated, I then get the value of $_SESSION['contloc'] and redirectx the user to the page the user initially opened:
$continueLocation = '';
if(isset($_SESSION["contloc"])&& !($_SESSION["contloc"] === "")){
$continueLocation = $_SESSION["contloc"];
$_SESSION["contloc"] = ''; //reset continue location
header('Location: ' . $continueLocation);
exit;
}else{
header('Location: menu.php');
}
(if the user did not come from a sub-page, the authenticate script simply redirects to the menu.php)