On Thu, 24 Mar 2005 06:56:25 -0000, "Simon" <sp********@myoddweb.com> wrote:
I have a Login.php page that logs the user in and out.
I has two forms within the page, (depending on what we are trying to do),
either one to log in or out.
The form calls itself using a post method and either logs the user in our
out given the information from the form.
but every pages use sessions and cookies, if the user is successfully logged
in then the cookies and session values are updated, (as well as MySQL).
Now it all works fine but I want to add some functionality where if the user
goes to a restricted page they are sent to the login page, and if the login
is successful then they will be sent back to the original restricted page.
I can redirect the user from the restricted page to the login page, but
returning to the restricted page after login is a problem as the headers
have been sent already, (to do the login).
Because the login uses sessions/cookies and tables I have to send the
headers to do the login as I cannot login the user and then redirect them to
a page, (the redirect must be before sessions/cookies I believe.
So what is the 'preferred way to redirect users after a successful login?
The simplest method, which only works if the resource you're protecting is a
PHP script, is to "include" a function to check the login on each protected
page before any output is sent.
This function can check sessions/cookies/whatever, and since it's being called
by the protected page, it has access to variables such as $_SERVER['PHP_SELF']
or $_SERVER['REQUEST_URI'] and so on, in other words, all the information
required to reconstruct the URL being accessed, including GET variables.
If the login function can't authenticate the user, it can present a login form
instead of the protected URL, posting back to your Login.php with a hidden form
field containing the URL. On successful login, it can issue a "Location" header
back to the URL saved from earlier.
If you're protecting a POST things get a little more awkward since redirecting
POST data is not consistently supported across browsers, but you could transfer
the POST variables into a session variable, and reconstruct the form fields, so
after successfully logging in, it could present a "OK, you're logged in, now
click this submit button to retry your request" form.
If you're trying to protect non-PHP resources, i.e. you can't add a check at
the top of each page, then it gets much more complicated.
--
Andy Hassall / <an**@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool