Jump to content

How to handle Log-In routing??


doubledee

Recommended Posts

Okay, so now I need help evolving my Log-In system...  :shy:

 

Up until now, the only place a user could log-in was on a given Article page if they wanted to add a comment to the Article.

 

To accommodate that feature, I was setting the "Return To Page" only in my "article.php" script like this...

 

$_SESSION['returnToPage'] = $_SERVER['SCRIPT_NAME'] . '?title=' . $articleTitle;

 

 

However, now I want to expand things.

 

I'm growing increasingly confused about how to manage where to route people when they long-in?!  :confused: :confused:

 

1.) Sometimes a user will Log-In and want to return where they were at  (e.g. index.php, article1234.php)

 

2.) Sometimes a user might want to continue down a path (e.g. Checking Out, Registering for a Workshop, Sending a Message)

 

Is there some kind of strategy to handle this?  (nothing over complex, but there must be some Best Practices that work?!

 

 

 

Debbie

 

 

Link to comment
Share on other sites

Is there some kind of strategy to handle this?

 

Yes, you design your log in system so that you simply include it into any page that needs it. If the visitor is not logged in, the log in form is produced and you output it where you want it to be on the page. If the form is submitted, it submits to the current page and the log in form processing code is executed to authenticate the username/password and log the person in. If the current visitor is logged in, you produce a welcome message/log out link and output it where you want it to be on the page.

Link to comment
Share on other sites

Is there some kind of strategy to handle this?

 

Yes, you design your log in system so that you simply include it into any page that needs it. If the visitor is not logged in, the log in form is produced and you output it where you want it to be on the page. If the form is submitted, it submits to the current page and the log in form processing code is executed to authenticate the username/password and log the person in. If the current visitor is logged in, you produce a welcome message/log out link and output it where you want it to be on the page.

 

Right now the process flow I have is...

 

"Article123.php" ---> "LogInpage.php" ---> "Article123.php"

 

 

What you described sounds like everything would stay on "Article123.php"?

 

Is that correct?

 

 

Debbie

 

Link to comment
Share on other sites

It may not be as sophisticated as some schemes, but I'd prefer having users taken to a standalone Log-In Page for now.  (If for no other reason because I didn't build a Log-In Form to be part of each page and don't want to change my design.)

 

It seems to me what I need at the very least is a Log-In page that can capture WHERE it received the Log-In request and then if Log-In was successful, return the user back to WHERE they came from.

 

(Currently I do it backwards and set the "ReturnToPath" on the REFERRING PAGE and then just let my Log-In page access that info via the Session.)

 

 

Debbie

 

 

Link to comment
Share on other sites

In the end what is important is that the end-user feels happy/comfortable with the solution you give.

 

But as PFMaBiSmAd mentioned. A very solid way is just to implement it on the same page the way you want, without having to deal with extra complexity.

 

If your not logged in, a username and password field are shown, else a welcome message. You can make the logic for that in a separate file and just include as said on each page you want people to have a logged in status.

 

Your method works too, but it's a little more complex (than needed). But it's good to try it out anyway

Link to comment
Share on other sites

In the end what is important is that the end-user feels happy/comfortable with the solution you give.

 

But as PFMaBiSmAd mentioned. A very solid way is just to implement it on the same page the way you want, without having to deal with extra complexity.

 

If your not logged in, a username and password field are shown, else a welcome message. You can make the logic for that in a separate file and just include as said on each page you want people to have a logged in status.

 

Your method works too, but it's a little more complex (than needed). But it's good to try it out anyway

 

Getting confused...

 

I think I have a bigger problem...  :-\

 

Here goes...

 

I just converted all of my physical Articles into database records and created a generic "article.php" that GETs the Query String it is sent and dynamically displays the appropriate Article.

 

But I also have the rest of my website pages as regular hard-coded pages with no Query String (e.g. indoex.php, contact_us.php, upcoming_events.php)

 

----

 

As far as Logging In, here is what I currently have...

 

- On "article.php" I store the "ReturnToPath" (i.e. "article.php" + query string) in a Session.

- When a user wants to add a comment, he/she clicks to "Log In", and is taken to "log_in2.php"

- "log_in2.php" redirects to like this...

 

// Redirect User.
if (isset($_SESSION['returnToPage'])){
header("Location: " . WEB_ROOT . $_SESSION['returnToPage']);
}else{
// Take user to Home Page.
header("Location: " . WEB_ROOT . "index.php");
}

 

What do I do for other pages?

 

For "index.php" do I just add code to that page to store its location in $_SESSION['returnToPage'] ??

 

Or do I add code - to capture the current page - in my Header file so that anywhere I display the "Log In" link I am also cpaturing where to return to, if you follow?

 

Maybe part of my confusion is having to add code to every page to capture that pages location.  (That seems excessive.)

 

Ideally I'd like a way for "log_in2.php" to see where a User was coming from and re-direct them back there if they successfully log in.

 

That way you only capture the "returnToPage" when it is needed, versus capturing it for every page on my website in case it is needed?!

 

Follow me?!

 

 

 

Debbie

 

 

Link to comment
Share on other sites

you are overcomplicating things. Before you code just get a pen and pencil and work out the most simplistic way of doing things.

 

As you stated, you want on every page, a welcome, user thing (if logged in) and Also something that allows them to login.

IF you combine those two, al you have to do is include 'login.php'; in the pages you want without having to mess around with headers()

 

Have a look at the attachment. That is how I would do it. You make some login logic script and where ever you want to use it include it. in the page in the position you like. The login form is self referencing so there is no need to remember where someone came from. (it all happens on the same page) Thus no need to overcomplicate things.

 

In the end you want (or atleast I would) 1 index.php where you include a nice template. Within that template you include little logics like a login form, twitter module etc. So in other words all the logic is in separate files and ones you need it you include it in your template.

 

If I were you I would just sit down and write down the logic for the 2 situations: Logged in and not logged in.

 

Combine those in 1 if clause Like in the image attached, and ones that works all you have to do is include it where ever you want.

 

[attachment deleted by admin]

Link to comment
Share on other sites

you are overcomplicating things. Before you code just get a pen and pencil and work out the most simplistic way of doing things.

 

As you stated, you want on every page, a welcome, user thing (if logged in) and Also something that allows them to login.

IF you combine those two, al you have to do is include 'login.php'; in the pages you want without having to mess around with headers()

 

Have a look at the attachment. That is how I would do it. You make some login logic script and where ever you want to use it include it. in the page in the position you like. The login form is self referencing so there is no need to remember where someone came from. (it all happens on the same page) Thus no need to overcomplicate things.

 

In the end you want (or atleast I would) 1 index.php where you include a nice template. Within that template you include little logics like a login form, twitter module etc. So in other words all the logic is in separate files and ones you need it you include it in your template.

 

If I were you I would just sit down and write down the logic for the 2 situations: Logged in and not logged in.

 

Combine those in 1 if clause Like in the image attached, and ones that works all you have to do is include it where ever you want.

 

As always, thanks for the time and reply.

 

I follow what you are saying, but I don't want to do things that way.  (And, no, not because I am being difficult?!)

 

What I ant is how Amazon.com works.

 

Look at their home page and look at the Welcome Text.

 

I have copied that to a "T" and want my website to work like theirs - with a standalone Log-In page - for now.

 

My reasons are many, and ironically it is because that seems simpler to me.

 

It is also a fairly common design, as is the one you described which has everything on one page.

 

If you can help me mimic what Amazon.com does that'd be great.  8)

 

 

 

Debbie

 

 

Link to comment
Share on other sites

So, set a Session variable that keeps track of the user.

 

Top of each page.

<?php
session_start();
$_SESSION['page'] = 'this_page.php';
?>

 

Login.

<?php 
session_start();

//do login.

if($login == true) {
header('Location: ' . WEB_ROOT . '/' . $_SESSION['page']);
}

 

Or, something to that affect.

Link to comment
Share on other sites

if you don't want to use sessions to store the previous page like JCbones sugested, You could append a $_GET variable to your login link.

ONes someone presses that link the variable is passed along, than at the login form you can store that variable as a hidden field. To keep i persistent. A simple example could be:

 

<!DOCTYPE html
     PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>PAGE A</title>
    </head>
    <body>
        <div id="wrapper">
            <div id="login">
                <?php echo '<a href="loginlinkform.php?article='.$_SERVER['SCRIPT_NAME'].'">Login</a>';?>
            </div>
            <p class="article">
                lalala this is some article
            </p>
        </div>        
    </body>
</html>

than your login form, (stripped down just to show how to use that $_GET variable)

 

<?php
$location = '';
//first time
if(isset($_GET['article'])){
    $location = $_GET['article'];
}else{
    //do something else
}
//if submitted the $_GET variable is gone so we store it in a hidden field, other methods are possible here
if(isset($_POST['submit'])){
    $location = $_POST['location'];
}


?>
<form action="<?php echo $_SERVER['SCRIPT_NAME']; ?>" method="post">
    <input type="hidden" name="location" value="<?php echo $location; ?>" />
    <input type="text" name="username" />
    <input type="password" name="password" />
    <input type="submit" name="submit" value="login" />
</form>

 

Anyway there are more roads that lead to Rome, so pick the one that makes more sense to you

Link to comment
Share on other sites

The reason cssfreakie suggested avoiding sessions is if a user is browsing multiple articles in different tabs, your sessions could have unexpected values in them.

 

I would agree with him. On every login link, attach the name of the page you want them to return to in the query string. You then have a sure-fire link back to the page in the $_GET array...

 

Watch out for XSS attempts though. Don't allow people to give out links like http://yoursite.com/login.php?ref=http://badsite.com/relogintostealinfo. Verify using RegEx or simpler means, that the redirect won't leave your domain.

Link to comment
Share on other sites

The reason cssfreakie suggested avoiding sessions is if a user is browsing multiple articles in different tabs, your sessions could have unexpected values in them.

 

I would agree with him. On every login link, attach the name of the page you want them to return to in the query string. You then have a sure-fire link back to the page in the $_GET array...

 

Watch out for XSS attempts though. Don't allow people to give out links like http://yoursite.com/login.php?ref=http://badsite.com/relogintostealinfo. Verify using RegEx or simpler means, that the redirect won't leave your domain.

 

 

Been traveling the last few days.

 

Trying to get my head back in the game?!

 

Here is what I came up on my flight on Thursday night...

 

 

1.) In each file I added this to the top of each script...

 

<?php
// Initialize a session.
session_start();

// Set current Script Name.
$_SESSION['returnToPage'] = $_SERVER['SCRIPT_NAME'];
?>

 

 

2.) For Articles I needed a slightly different script since they use "pretty URL's"...

<?php
// Initialize a session.
session_start();

// Check for Title in URL.
if (isset($_GET['title'])){
	// Title found in URL.

	// Set Article Title.
	$articleTitle = $_GET['title'];
	$_SESSION['articleTitle'] = $_GET['title'];

	// Set current Script Name + Query String.
	$_SESSION['returnToPage'] = $_SERVER['SCRIPT_NAME'] . '?title=' . $articleTitle;

 

 

3.) Then for my Dedicated Log-In page I have...

<?php
// Initialize a session.
session_start();

			// *************************************************************
			// HANDLE FORM.											
			// *************************************************************
			if ($_SERVER['REQUEST_METHOD']=='POST'){
				// Form was Submitted (Post).

				// ******************************
				// CHECK LOG-IN INFORMATION.		*
				// ******************************

				// Check Email.
				// Check Password.

				// Check for Data-Entry Errors.
				if (empty($errors)){
					// Form data clean.

					// Build query.
					// Prepare statement.
					// Bind variable.
					// Execute query.
					// Transfer result set from prepared statement.
					// Initialize variables to hold query results.

					// ****************************
					// Check for Member Record.		*
					// ****************************
					if (mysqli_stmt_num_rows($stmt)==1){
						// Member was Found.

						// Fetch record.

						$_SESSION['loggedIn'] = TRUE;
						$_SESSION['memberFirstName'] = $memberFirstName;

						// Redirect User.
						if (isset($_SESSION['returnToPage'])){
							header("Location: " . WEB_ROOT . $_SESSION['returnToPage']);
						}else{
							// Take user to Home Page.
							header("Location: " . WEB_ROOT . "index.php");
						}

						// End script.
						exit();

 

As far as I can see, the above approach works for all pages on my website, however I dislike having to put the code as shown in #1 above...

 

How does my approach look?

 

Any security issues with it?

 

 

Debbie

 

 

Link to comment
Share on other sites

Seriously, this is about the 5th thread you've opened on this subject.

 

We have a 'do not double post' rule, you should stick to it.

 

Seriously, if you'd read what I posted you'd see it is *not* a double post, and - in some cases - if people would answer the original question we wouldn't go off on all of these tangents leading me to post a different thread.

 

I've also been told online that it is better to post about "parts of a problem" versus expecting people to solve an entire issue by going on and on.  So I tend to ask questions about different parts of the same larger problem, which is not "double-posting".  It is doing what I was told to do...

 

 

Debbie

 

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.