The prefered 'login' procedure and redirect.

I noticed that Message-ID: <3a*************@individual.net> from Simon
contained the following:

I can redirect the user from the restricted page to the login page, but
returning to the restricted page after login is a problem as the headers
have been sent already, (to do the login).

But the login page calls itself. So set a session variable to contain
information about the page they want to go to and do all the checking
before outputting any html. then you can read the session variable
containing the referring page information and redirect accordingly.

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Simon wrote:

Hi,

I have a Login.php page that logs the user in and out.
I has two forms within the page, (depending on what we are trying to do),
either one to log in or out.

The form calls itself using a post method and either logs the user in our
out given the information from the form.
but every pages use sessions and cookies, if the user is successfully
logged in then the cookies and session values are updated, (as well as
MySQL).

Now it all works fine but I want to add some functionality where if the
user goes to a restricted page they are sent to the login page, and if the
login is successful then they will be sent back to the original restricted
page.

Dispatchers are pretty good at this. If all page requests go through a
dispatcher, it can determine if the user has a valid session. If not, they
go to the login page. Your present case fits right in easily.

--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec)ure(Dat)a(.com)

On Thu, 24 Mar 2005 06:56:25 -0000, "Simon" <sp********@myoddweb.com> wrote:

I have a Login.php page that logs the user in and out.
I has two forms within the page, (depending on what we are trying to do),
either one to log in or out.

The form calls itself using a post method and either logs the user in our
out given the information from the form.
but every pages use sessions and cookies, if the user is successfully logged
in then the cookies and session values are updated, (as well as MySQL).

Now it all works fine but I want to add some functionality where if the user
goes to a restricted page they are sent to the login page, and if the login
is successful then they will be sent back to the original restricted page.

I can redirect the user from the restricted page to the login page, but
returning to the restricted page after login is a problem as the headers
have been sent already, (to do the login).
Because the login uses sessions/cookies and tables I have to send the
headers to do the login as I cannot login the user and then redirect them to
a page, (the redirect must be before sessions/cookies I believe.

So what is the 'preferred way to redirect users after a successful login?

The simplest method, which only works if the resource you're protecting is a
PHP script, is to "include" a function to check the login on each protected
page before any output is sent.

This function can check sessions/cookies/whatever, and since it's being called
by the protected page, it has access to variables such as $_SERVER['PHP_SELF']
or $_SERVER['REQUEST_URI'] and so on, in other words, all the information
required to reconstruct the URL being accessed, including GET variables.

If the login function can't authenticate the user, it can present a login form
instead of the protected URL, posting back to your Login.php with a hidden form
field containing the URL. On successful login, it can issue a "Location" header
back to the URL saved from earlier.

If you're protecting a POST things get a little more awkward since redirecting
POST data is not consistently supported across browsers, but you could transfer
the POST variables into a session variable, and reconstruct the form fields, so
after successfully logging in, it could present a "OK, you're logged in, now
click this submit button to retry your request" form.

If you're trying to protect non-PHP resources, i.e. you can't add a check at
the top of each page, then it gets much more complicated.

--
Andy Hassall / <an**@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool

"Simon" <sp********@myoddweb.com> wrote in message
news:3a*************@individual.net...

Hi,

I have a Login.php page that logs the user in and out.
I has two forms within the page, (depending on what we are trying to do),
either one to log in or out.

The form calls itself using a post method and either logs the user in our
out given the information from the form.
but every pages use sessions and cookies, if the user is successfully logged in then the cookies and session values are updated, (as well as MySQL).

Now it all works fine but I want to add some functionality where if the user goes to a restricted page they are sent to the login page, and if the login is successful then they will be sent back to the original restricted page.

I can redirect the user from the restricted page to the login page, but
returning to the restricted page after login is a problem as the headers
have been sent already, (to do the login).
Because the login uses sessions/cookies and tables I have to send the
headers to do the login as I cannot login the user and then redirect them to a page, (the redirect must be before sessions/cookies I believe.

So what is the 'preferred way to redirect users after a successful login?

When a user access a restricted page and he/she is not logged in, redirect
him/her to the login page with the requested uri in the URL. The login page
writes the request uri in a hidden field along with fields for user name and
password. When authentication/authorization is successful, the post handling
code of the login page redirects to the request uri. If not, the login page
redirects to itself.

Redirect can happens after the session is set, since it's just an HTTP
header. There's no problem simultaneously setting a cookie and redirecting
the browser.

"Chung Leong" <ch***********@hotmail.com> wrote in message
news:Sv********************@comcast.com...

When a user access a restricted page and he/she is not logged in, redirect
him/her to the login page with the requested uri in the URL. The login
page
writes the request uri in a hidden field along with fields for user name
and
password. When authentication/authorization is successful, the post
handling
code of the login page redirects to the request uri. If not, the login
page
redirects to itself.

Redirect can happens after the session is set, since it's just an HTTP
header. There's no problem simultaneously setting a cookie and redirecting
the browser.

Thanks all for the replies.
I was having a problem with my headers, I had a rogue character that was
somehow causing the headers to be sent, a bit of trimming solved the
problem.
I thought it was because I was doing session work b4 sending the header that
I was having a problem.

So in case you are developing in Windows and Unix remember that some rogue
characters can cause problems with the headers.

Thanks all.

Simon