Jump to content

Recommended Posts

If a user is on Page X, but not logged in, when they log in to my website, I want them to return back to Page X (in this example).

 

To handle this, I am adding this code to the top of each webpage...

// Set current Script Name.
$_SESSION['returnToPage'] = $_SERVER['SCRIPT_NAME'];

 

And then as part of my Log In script I have...

// Redirect User.
if (isset($_SESSION['returnToPage'])){
	header("Location: " . BASE_URL . $_SESSION['returnToPage']);
}else{
	// Take user to Home Page.
	header("Location: " . BASE_URL . "index.php");
}

 

What do you think about this approach?  :confused:

 

Thanks,

 

 

Debbie

 

Link to comment
https://forums.phpfreaks.com/topic/253392-return-to-where-you-were/
Share on other sites

This won't work if you put that code in each of the webpage parts.

Reasons:

-if it's on EVERY page, then it's in the login page, too. So the login page is also marked in the $_SESSION cookie. After the users login, they'll be redirected to the login form? Sorry, not what you want there. :P

-it's messy. If you want to put code that repeats, put it in your includes file.

 

You can also : use user's browser history to navigate him one page back (history.back() in JavaScript)

                      implement the login form somewhere in the page so you don't even have to do that.

 

If you're using it in your includes file, you can exclude the code in your login.php like this:

 

if(explode('/', $_SERVER['PHP_SELF']) != 'login.php'){

    // Do your session tagging stuff.

}

 

Or if you're doing it manually on every page (which I don't find practical), just don't put it in login.php file. xD

 

And one more thing, I suggest you don't use whole urls, just explode it till the name of the file so you get 'file.ext' format like I did here.

Saves you from a lot of server path error stuff.

 

This won't work if you put that code in each of the webpage parts.

Reasons:

-if it's on EVERY page, then it's in the login page, too. So the login page is also marked in the $_SESSION cookie. After the users login, they'll be redirected to the login form? Sorry, not what you want there. :P

 

Agreed, but I was just going to put it on pages where you'd want to return to after logging in.

 

 

-it's messy. If you want to put code that repeats, put it in your includes file.

 

Okay.

 

 

You can also : use user's browser history to navigate him one page back (history.back() in JavaScript)

 

Except when JavaScript is off...

 

 

implement the login form somewhere in the page so you don't even have to do that.

 

If you're using it in your includes file, you can exclude the code in your login.php like this:

 

if(explode('/', $_SERVER['PHP_SELF']) != 'login.php'){

    // Do your session tagging stuff.

}

 

I have heard that $_SERVER['PHP_SELF'] is insecure...  (Hackers can insert any page in that function...)

 

Is there a way to do that another way?

 

BTW, how does your code work?  Explode is supposed to return an array of substrings, so how can you compare an array to 'login.php'??

 

 

Or if you're doing it manually on every page (which I don't find practical), just don't put it in login.php file. xD

 

Right!

 

 

And one more thing, I suggest you don't use whole urls, just explode it till the name of the file so you get 'file.ext' format like I did here.

Saves you from a lot of server path error stuff.

 

Except you assume that all files are in the same directory which they may not be...

 

Thanks,

 

 

Debbie

 

I have heard that $_SERVER['PHP_SELF'] is insecure...  (Hackers can insert any page in that function...)

 

Even if they could, so what? They can also just go to the address bar and put any page in it.

 

Because they could re-direct your user off of your site!!!  (This is a pretty well established non-no in PHP.  Google $_SERVER['PHP_SELF']...)

 

 

Debbie

 

Oh! Sorrry! Yuycks, another fail of mine.

 

I forgot this:

 

if(end(explode('/', $_SERVER['PHP_SELF'])) != 'login.php'){ // end function returns the last array row

    // Do your session tagging stuff.

}

 

"Except when JavaScript is off..."

Who turns off Javascript? But okay, you're right technically. :P That one falls into water.

 

"Except you assume that all files are in the same directory which they may not be..." Well the directory still doesn't matter, I hope you don't name any of your files the same name.

 

About PHP_SELF, I didn't know that cause I'm not much worried about security, since I develop mostly local CMS.. Thanks! :)

Oh! Sorrry! Yuycks, another fail of mine.

 

I forgot this:

 

if(end(explode('/', $_SERVER['PHP_SELF'])) != 'login.php'){ // end function returns the last array row

    // Do your session tagging stuff.

}

 

That makes more sense.

 

 

"Except when JavaScript is off..."

 

Who turns off Javascript? But okay, you're right technically. :P That one falls into water.

 

More people than you'd think.  (Any solution that relies solely on JavaScript with no fall-back is a *BAD* idea...)  ;)

 

 

"Except you assume that all files are in the same directory which they may not be..."

 

Well the directory still doesn't matter, I hope you don't name any of your files the same name.

 

I don't follow you?!

 

If I was reading the article located here...

 

/articles/postage-meters-can-save-you-money.php

 

...and my log in page is here...

 

/members/login.php

 

...then taking your advice and stripping off the path will NOT get me from "login.php" back to "postage-meters-can-save-you-money.php"

 

 

BTW, you don't seem to be concerned about the shortcomings of $_SERVER['PHP_SELF']...

 

Isn't there another PHP function that does the same thing but is safer??

 

 

Debbie

 

 

Stripping path was just for a file-check. Full paths should be stored in a session file.

 

I'm not concerned, since I only do local stuff (I'm not on any server), but as I progress, I will know more.

Maybe this helps?

 

http://www.mc2design.com/blog/php_self-safe-alternatives

 

And I was just using PHP_SELF cause I used it at the time, so, another fail of mine. And another lesson for me.

BTW, you don't seem to be concerned about the shortcomings of $_SERVER['PHP_SELF']...

 

Isn't there another PHP function that does the same thing but is safer??

 

There are other ways to determine the files name yes.  PHP_SELF isn't as bad as some people make it out to be though.  The only real danger is if you output it to a page without running it through htmlentities first.  Using it in other ways is not generally a problem.  Someone can't completely change PHP_SELF to some other url like you implied above.  They can only add additional information to the URL.  In the example above that might cause your if condition to fail, but it's not any sort of big problem really.  The user would just end up back at the login page after logging in.  People who use your site as intended will never have this issue, only people who try and abuse it would.

 

Make a page and print_r($_SERVER), that will show you what your alternatives are.  I believe a 'safer' alternative to PHP_SELF is SCRIPT_NAME but I can't remember for sure.  I typically don't use either value.

 

BTW, you don't seem to be concerned about the shortcomings of $_SERVER['PHP_SELF']...

 

Isn't there another PHP function that does the same thing but is safer??

 

There are other ways to determine the files name yes.  PHP_SELF isn't as bad as some people make it out to be though.  The only real danger is if you output it to a page without running it through htmlentities first.  Using it in other ways is not generally a problem.  Someone can't completely change PHP_SELF to some other url like you implied above.  They can only add additional information to the URL.  In the example above that might cause your if condition to fail, but it's not any sort of big problem really.  The user would just end up back at the login page after logging in.  People who use your site as intended will never have this issue, only people who try and abuse it would.

 

Make a page and print_r($_SERVER), that will show you what your alternatives are.  I believe a 'safer' alternative to PHP_SELF is SCRIPT_NAME but I can't remember for sure.  I typically don't use either value.

 

Doesn't the constant '__FILE__' tell you what page you are on?

 

 

Debbie

 

Stripping path was just for a file-check. Full paths should be stored in a session file.

 

Oops!  My bad!

 

 

Debbie

 

Ya, I did that because if you check for the file from different servers, you'd have to manually change the directory stuff.. So let's just stick to the file.

About the constant, yippie! :D

Hope I helped in any way.

Cheers!

 

P.S. I'm new to this forum and I really like it...

Doesn't the constant '__FILE__' tell you what page you are on?

 

The constant __FILE__ tells you what file is currently executing.  This will change for included files.

 

eg: common.inc.php

<?php
var_dump(__FILE__);
?>

 

index.php:

<?php

include 'common.inc.php';

var_dump(__FILE__);
?>

 

 

The var_dump inside of common.inc.php will output a path such as: /home/doubledee/html/common.inc.php

where as the one inside index.php will output: /home/doubledee/html/index.php

 

So, you can use __FILE__ to determine what file your currently executing in, but not what file was actually requested.  __FILE__ is mainly useful for logging errors or deriving file locations relative to the current file.

 

Stripping path was just for a file-check. Full paths should be stored in a session file.

 

Oops!  My bad!

 

 

Debbie

 

Ya, I did that because if you check for the file from different servers, you'd have to manually change the directory stuff.. So let's just stick to the file.

About the constant, yippie! :D

Hope I helped in any way.

Cheers!

 

P.S. I'm new to this forum and I really like it...

 

I think this is a *safer* way to get the current file name...

$currentFile = basename($_SERVER['SCRIPT_NAME']);

 

Someone please verify this!!

 

Thanks,

 

 

Debbie

 

P.S.  Welcome Ivan!  Glad to have you here!  :)

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.