Connecting Tech Pros Worldwide Help | Site Map
bytes > topic > php > answers

The prefered 'login' procedure and redirect.

Simon
Guest
  
Posts: n/a
#1: Jul 17 '05
Hi,

I have a Login.php page that logs the user in and out.
I has two forms within the page, (depending on what we are trying to do),
either one to log in or out.

The form calls itself using a post method and either logs the user in our
out given the information from the form.
but every pages use sessions and cookies, if the user is successfully logged
in then the cookies and session values are updated, (as well as MySQL).

Now it all works fine but I want to add some functionality where if the user
goes to a restricted page they are sent to the login page, and if the login
is successful then they will be sent back to the original restricted page.

I can redirect the user from the restricted page to the login page, but
returning to the restricted page after login is a problem as the headers
have been sent already, (to do the login).
Because the login uses sessions/cookies and tables I have to send the
headers to do the login as I cannot login the user and then redirect them to
a page, (the redirect must be before sessions/cookies I believe.

So what is the 'preferred way to redirect users after a successful login?

Simon
Geoff Berrow
Guest
  
Posts: n/a
#2: Jul 17 '05

re: The prefered 'login' procedure and redirect.

I noticed that Message-ID: <3af6kuF68kv59U1@individual.net> from Simon
contained the following:
[color=blue]
>I can redirect the user from the restricted page to the login page, but
>returning to the restricted page after login is a problem as the headers
>have been sent already, (to do the login).[/color]

But the login page calls itself. So set a session variable to contain
information about the page they want to go to and do all the checking
before outputting any html. then you can read the session variable
containing the referring page information and redirect accordingly.

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Kenneth Downs
Guest
  
Posts: n/a
#3: Jul 17 '05

re: The prefered 'login' procedure and redirect.

Simon wrote:
[color=blue]
> Hi,
>
> I have a Login.php page that logs the user in and out.
> I has two forms within the page, (depending on what we are trying to do),
> either one to log in or out.
>
> The form calls itself using a post method and either logs the user in our
> out given the information from the form.
> but every pages use sessions and cookies, if the user is successfully
> logged in then the cookies and session values are updated, (as well as
> MySQL).
>
> Now it all works fine but I want to add some functionality where if the
> user goes to a restricted page they are sent to the login page, and if the
> login is successful then they will be sent back to the original restricted
> page.
>[/color]

Dispatchers are pretty good at this. If all page requests go through a
dispatcher, it can determine if the user has a valid session. If not, they
go to the login page. Your present case fits right in easily.

--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec)ure(Dat)a(.com)
Andy Hassall
Guest
  
Posts: n/a
#4: Jul 17 '05

re: The prefered 'login' procedure and redirect.

On Thu, 24 Mar 2005 06:56:25 -0000, "Simon" <spambucket@myoddweb.com> wrote:
[color=blue]
>I have a Login.php page that logs the user in and out.
>I has two forms within the page, (depending on what we are trying to do),
>either one to log in or out.
>
>The form calls itself using a post method and either logs the user in our
>out given the information from the form.
>but every pages use sessions and cookies, if the user is successfully logged
>in then the cookies and session values are updated, (as well as MySQL).
>
>Now it all works fine but I want to add some functionality where if the user
>goes to a restricted page they are sent to the login page, and if the login
>is successful then they will be sent back to the original restricted page.
>
>I can redirect the user from the restricted page to the login page, but
>returning to the restricted page after login is a problem as the headers
>have been sent already, (to do the login).
>Because the login uses sessions/cookies and tables I have to send the
>headers to do the login as I cannot login the user and then redirect them to
>a page, (the redirect must be before sessions/cookies I believe.
>
>So what is the 'preferred way to redirect users after a successful login?[/color]

The simplest method, which only works if the resource you're protecting is a
PHP script, is to "include" a function to check the login on each protected
page before any output is sent.

This function can check sessions/cookies/whatever, and since it's being called
by the protected page, it has access to variables such as $_SERVER['PHP_SELF']
or $_SERVER['REQUEST_URI'] and so on, in other words, all the information
required to reconstruct the URL being accessed, including GET variables.

If the login function can't authenticate the user, it can present a login form
instead of the protected URL, posting back to your Login.php with a hidden form
field containing the URL. On successful login, it can issue a "Location" header
back to the URL saved from earlier.

If you're protecting a POST things get a little more awkward since redirecting
POST data is not consistently supported across browsers, but you could transfer
the POST variables into a session variable, and reconstruct the form fields, so
after successfully logging in, it could present a "OK, you're logged in, now
click this submit button to retry your request" form.

If you're trying to protect non-PHP resources, i.e. you can't add a check at
the top of each page, then it gets much more complicated.

--
Andy Hassall / <andy@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
Chung Leong
Guest
  
Posts: n/a
#5: Jul 17 '05

re: The prefered 'login' procedure and redirect.

"Simon" <spambucket@myoddweb.com> wrote in message
news:3af6kuF68kv59U1@individual.net...[color=blue]
> Hi,
>
> I have a Login.php page that logs the user in and out.
> I has two forms within the page, (depending on what we are trying to do),
> either one to log in or out.
>
> The form calls itself using a post method and either logs the user in our
> out given the information from the form.
> but every pages use sessions and cookies, if the user is successfully[/color]
logged[color=blue]
> in then the cookies and session values are updated, (as well as MySQL).
>
> Now it all works fine but I want to add some functionality where if the[/color]
user[color=blue]
> goes to a restricted page they are sent to the login page, and if the[/color]
login[color=blue]
> is successful then they will be sent back to the original restricted page.
>
> I can redirect the user from the restricted page to the login page, but
> returning to the restricted page after login is a problem as the headers
> have been sent already, (to do the login).
> Because the login uses sessions/cookies and tables I have to send the
> headers to do the login as I cannot login the user and then redirect them[/color]
to[color=blue]
> a page, (the redirect must be before sessions/cookies I believe.
>
> So what is the 'preferred way to redirect users after a successful login?[/color]

When a user access a restricted page and he/she is not logged in, redirect
him/her to the login page with the requested uri in the URL. The login page
writes the request uri in a hidden field along with fields for user name and
password. When authentication/authorization is successful, the post handling
code of the login page redirects to the request uri. If not, the login page
redirects to itself.

Redirect can happens after the session is set, since it's just an HTTP
header. There's no problem simultaneously setting a cookie and redirecting
the browser.
Simon
Guest
  
Posts: n/a
#6: Jul 17 '05

re: The prefered 'login' procedure and redirect.

"Chung Leong" <chernyshevsky@hotmail.com> wrote in message
news:SvCdnS5tbPA9J97fRVn-gw@comcast.com...[color=blue]
>
> When a user access a restricted page and he/she is not logged in, redirect
> him/her to the login page with the requested uri in the URL. The login
> page
> writes the request uri in a hidden field along with fields for user name
> and
> password. When authentication/authorization is successful, the post
> handling
> code of the login page redirects to the request uri. If not, the login
> page
> redirects to itself.
>
> Redirect can happens after the session is set, since it's just an HTTP
> header. There's no problem simultaneously setting a cookie and redirecting
> the browser.
>[/color]

Thanks all for the replies.
I was having a problem with my headers, I had a rogue character that was
somehow causing the headers to be sent, a bit of trimming solved the
problem.
I thought it was because I was doing session work b4 sending the header that
I was having a problem.

So in case you are developing in Windows and Unix remember that some rogue
characters can cause problems with the headers.

Thanks all.

Simon
Closed Thread

« previous question | next question »

Similar PHP bytes

/bytes/development

/bytes/it

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,295 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved