The prefered 'login' procedure and redirect.
This is a discussion on The prefered 'login' procedure and redirect. within the PHP Language forums, part of the PHP Programming Forums category; Hi, I have a Login.php page that logs the user in and out. I has two forms within the ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-24-2005
|
|||
|
|||
The prefered 'login' procedure and redirect.
Hi,
I have a Login.php page that logs the user in and out. I has two forms within the page, (depending on what we are trying to do), either one to log in or out. The form calls itself using a post method and either logs the user in our out given the information from the form. but every pages use sessions and cookies, if the user is successfully logged in then the cookies and session values are updated, (as well as MySQL). Now it all works fine but I want to add some functionality where if the user goes to a restricted page they are sent to the login page, and if the login is successful then they will be sent back to the original restricted page. I can redirect the user from the restricted page to the login page, but returning to the restricted page after login is a problem as the headers have been sent already, (to do the login). Because the login uses sessions/cookies and tables I have to send the headers to do the login as I cannot login the user and then redirect them to a page, (the redirect must be before sessions/cookies I believe. So what is the 'preferred way to redirect users after a successful login? Simon 
|
|
03-24-2005
|
|||
|
|||
|
Re: The prefered 'login' procedure and redirect.
I noticed that Message-ID: <3af6kuF68kv59U1@individual.net> from Simon
contained the following: >I can redirect the user from the restricted page to the login page, but >returning to the restricted page after login is a problem as the headers >have been sent already, (to do the login). But the login page calls itself. So set a session variable to contain information about the page they want to go to and do all the checking before outputting any html. then you can read the session variable containing the referring page information and redirect accordingly. -- Geoff Berrow (put thecat out to email) It's only Usenet, no one dies. My opinions, not the committee's, mine. Simple RFDs http://www.ckdog.co.uk/rfdmaker/
|
|
03-24-2005
|
|||
|
|||
|
Re: The prefered 'login' procedure and redirect.
Simon wrote:
> Hi, > > I have a Login.php page that logs the user in and out. > I has two forms within the page, (depending on what we are trying to do), > either one to log in or out. > > The form calls itself using a post method and either logs the user in our > out given the information from the form. > but every pages use sessions and cookies, if the user is successfully > logged in then the cookies and session values are updated, (as well as > MySQL). > > Now it all works fine but I want to add some functionality where if the > user goes to a restricted page they are sent to the login page, and if the > login is successful then they will be sent back to the original restricted > page. > Dispatchers are pretty good at this. If all page requests go through a dispatcher, it can determine if the user has a valid session. If not, they go to the login page. Your present case fits right in easily. -- Kenneth Downs Secure Data Software, Inc. (Ken)nneth@(Sec)ure(Dat)a(.com)
|
|
03-24-2005
|
|||
|
|||
|
Re: The prefered 'login' procedure and redirect.
On Thu, 24 Mar 2005 06:56:25 -0000, "Simon" <spambucket@myoddweb.com> wrote:
>I have a Login.php page that logs the user in and out. >I has two forms within the page, (depending on what we are trying to do), >either one to log in or out. > >The form calls itself using a post method and either logs the user in our >out given the information from the form. >but every pages use sessions and cookies, if the user is successfully logged >in then the cookies and session values are updated, (as well as MySQL). > >Now it all works fine but I want to add some functionality where if the user >goes to a restricted page they are sent to the login page, and if the login >is successful then they will be sent back to the original restricted page. > >I can redirect the user from the restricted page to the login page, but >returning to the restricted page after login is a problem as the headers >have been sent already, (to do the login). >Because the login uses sessions/cookies and tables I have to send the >headers to do the login as I cannot login the user and then redirect them to >a page, (the redirect must be before sessions/cookies I believe. > >So what is the 'preferred way to redirect users after a successful login? The simplest method, which only works if the resource you're protecting is a PHP script, is to "include" a function to check the login on each protected page before any output is sent. This function can check sessions/cookies/whatever, and since it's being called by the protected page, it has access to variables such as $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'] and so on, in other words, all the information required to reconstruct the URL being accessed, including GET variables. If the login function can't authenticate the user, it can present a login form instead of the protected URL, posting back to your Login.php with a hidden form field containing the URL. On successful login, it can issue a "Location" header back to the URL saved from earlier. If you're protecting a POST things get a little more awkward since redirecting POST data is not consistently supported across browsers, but you could transfer the POST variables into a session variable, and reconstruct the form fields, so after successfully logging in, it could present a "OK, you're logged in, now click this submit button to retry your request" form. If you're trying to protect non-PHP resources, i.e. you can't add a check at the top of each page, then it gets much more complicated. -- Andy Hassall / <andy@andyh.co.uk> / <http://www.andyh.co.uk> <http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
|
|
03-25-2005
|
|||
|
|||
|
Re: The prefered 'login' procedure and redirect.
"Simon" <spambucket@myoddweb.com> wrote in message
news:3af6kuF68kv59U1@individual.net... > Hi, > > I have a Login.php page that logs the user in and out. > I has two forms within the page, (depending on what we are trying to do), > either one to log in or out. > > The form calls itself using a post method and either logs the user in our > out given the information from the form. > but every pages use sessions and cookies, if the user is successfully logged > in then the cookies and session values are updated, (as well as MySQL). > > Now it all works fine but I want to add some functionality where if the user > goes to a restricted page they are sent to the login page, and if the login > is successful then they will be sent back to the original restricted page. > > I can redirect the user from the restricted page to the login page, but > returning to the restricted page after login is a problem as the headers > have been sent already, (to do the login). > Because the login uses sessions/cookies and tables I have to send the > headers to do the login as I cannot login the user and then redirect them to > a page, (the redirect must be before sessions/cookies I believe. > > So what is the 'preferred way to redirect users after a successful login? When a user access a restricted page and he/she is not logged in, redirect him/her to the login page with the requested uri in the URL. The login page writes the request uri in a hidden field along with fields for user name and password. When authentication/authorization is successful, the post handling code of the login page redirects to the request uri. If not, the login page redirects to itself. Redirect can happens after the session is set, since it's just an HTTP header. There's no problem simultaneously setting a cookie and redirecting the browser.
|
|
03-25-2005
|
|||
|
|||
|
Re: The prefered 'login' procedure and redirect.
"Chung Leong" <chernyshevsky@hotmail.com> wrote in message
news:SvCdnS5tbPA9J97fRVn-gw@comcast.com... > > When a user access a restricted page and he/she is not logged in, redirect > him/her to the login page with the requested uri in the URL. The login > page > writes the request uri in a hidden field along with fields for user name > and > password. When authentication/authorization is successful, the post > handling > code of the login page redirects to the request uri. If not, the login > page > redirects to itself. > > Redirect can happens after the session is set, since it's just an HTTP > header. There's no problem simultaneously setting a cookie and redirecting > the browser. > Thanks all for the replies. I was having a problem with my headers, I had a rogue character that was somehow causing the headers to be sent, a bit of trimming solved the problem. I thought it was because I was doing session work b4 sending the header that I was having a problem. So in case you are developing in Windows and Unix remember that some rogue characters can cause problems with the headers. Thanks all. Simon
|
Linear Mode
