Álvaro G. Vicario wrote:
Quote:
Jerry Stuckle escribió:
Quote:
Quote:
>>>>>How can I go to access.php and then is the user object is not set, it
>>>>>forwards me to the index page and the index page now knows where it
>>>>>came from so that the index page acan follow some logic and return to
>>>>>the access.php page?
>>>>>
>>>>Just add a new parameter:
>>>>>
>>>>$return = $_SERVER['REQUEST_URI'];
>>>>header('Location: http://example.com/index.php?return=' .
>>>> rawurlencode($return));
>>>>>
>>>>>
>>>>
>>>Even worse than using HTTP_REFERER.
>>>
>>The reason is not obvious to me (if it was, I would not have
>>recommended it). Sites like Gmail and Yahoo do it this way:
>>>
>>
https://www.google.com/accounts/ServiceLogin? ...
>>continue=http%3A%2F%2Fmail.google.com%2Fmail%2F% 3Fui%3Dhtml%26zy%3Dl
>>>
>>
http://us.rd.yahoo.com/ ... done=http%3a//groups.yahoo.com
>>>
>>... so I never thought it could be so wrong. Can you elaborate on this?
>>>
>>>
>>>
>>
>Anyone can put anything in the URL.
>>
>Not only are Yahoo and GMail are using it for something entirely
>different,
>
Perhaps I didn't understand the OP requirements. I took it for granted
that he wanted to redirect the user from an arbitrary restricted access
page to a single sign-in page and once validated get him back to
whatever he wanted to see.
>
If he wants to use the URL for something else than a HTTP redirect then
it's a different issue.
>
Ah, now that I go back and read the original message again, I see how
you came to that conclusion, and that I was wrong.
Yes, this will do it - but you still need to be careful. The user can
put anything in there - including some other address. It shouldn't be a
problem if you properly protect all of the pages on the site, though.
Quote:
>
Quote:
>but "someone else is doing it" is NEVER a good reason. I don't care
>who it is.
>
I tend to trust third-party ideas when they look good to me. I even run
binaries I didn't compile myself ;-)
>
>
I trust binaries from trusted sources. As for ideas like this, I look
at them and see how well they would fit into the rest of the site. But
you need to be careful because you don't necessarily know what's going
on behind the scenes.
In a case like this, I prefer to place the value in the $_SESSION array.
When they successfully log in, clear it from the $_SESSION array and
redirect to that page. I find it keeps the URL's cleaner, among other
things. And this way you know where they came from.
Of course, they won't be able to bookmark the URL, which may or may not
be good. But they can always bookmark the original page, once they're
signed in.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
