ansaurus

Question

PHP: Returning a user to their original page after login

Answer 1

+2 A:

On login page:

<form action="controller/LoginController" method="post">
<?php

if($_SERVER['HTTP_REFERER']){
  echo '<input type="hidden" name="l" value="'.$_SERVER['HTTP_REFERER'].'" />';
}

?>
<!-- the rest of the form -->
<input type="submit" />
</form>

At login controller, you take in the $_POST['l'] value and see whether or not this URL is on your own website. If it isn't, redirect to your default page, else redirect to this URL.

Make sure that on your login page if user is already logged in, you redirect the user back to home page or something. This will prevent cases like redirecting back to login.

$_SERVER['HTTP_REFERER'] is a browser responsibility. It is also most of the time rather reliable. If the browser doesn't send, or if you are worried about it, you can use session instead.

on every page simply set $_SESSION['lastvisitpage'] to the current page URL. On login then you redirect to $_SESSION['lastvisitpage'].

thephpdeveloper 2009-12-31 08:51:47

So HTTP_REFERER *is* the standard way to do this then? I like the idea of using a 'lastpage' session variable as a backup for the case of a blank referer. Thanks!

AgentConundrum 2009-12-31 08:58:28

no problem at all. But be wary of the SESSION method because you never know if the user opened multiple tabs of your site in his/her browser. If this answers put a tick to it allowing others to know =)

thephpdeveloper 2009-12-31 09:01:00

Good point (multiple tabs). This seems like it works best with multiple fallbacks. If there's a hidden form element, use it. If not, check the HTTP_REFERER on the login page and use that. If that's blank too, either use whatever the session says the last page was, or throw the user back to the main page. It might come down to a matter of opinion on which of those two options provides the better user experience. 'Main Page' is likely less confusing than being pushed to a page you have open in another tab, but it's a worse experience in cases of single tabs where the 'Last Page' is reliable.

AgentConundrum 2009-12-31 09:08:33

yep totally agreed.

thephpdeveloper 2009-12-31 09:12:21

uhm.. a mass downvoter?

thephpdeveloper 2009-12-31 09:20:26

You should consider `$_SERVER` tainted. At least apply `htmlspecialchars` to it before inserting it straight into HTML.

Geert 2009-12-31 09:29:37

@Geert - Absolutely. It's sort of implied by the quote I included: "In short, it cannot really be trusted." WebDev 101 says you always need to sanitize your inputs. I'd probably end up throwing it through the sanitizer script I found, and then running a couple quick sanity checks on it to be safe.

AgentConundrum 2009-12-31 09:39:55

that's for illustration. Either way you're validating it all at the end. There's virtually no harm not sanitizing the form at first.

thephpdeveloper 2009-12-31 09:40:13

Answer 2

A:

I would suggest make an AJAX call to login the user and on successful AJAX response just refresh the current page.

Undefined 2009-12-31 08:54:12

you cannot make such an important feature to be Javascript-dependent unless you are able to have a Javascript-fail safe back up for this.

thephpdeveloper 2009-12-31 08:55:04

I'd pretty much echo what @thephpdeveloper said. I'd really like everything to work well when javascript isn't available.

AgentConundrum 2009-12-31 09:00:57

I prefer the AJAX call, but I also have a standard login page if Javascript doesn't load. The page however does redirect to the main page. No Javascript = No Saving Your Location.

Chacha102 2009-12-31 09:23:53

Answer 3

+1 A:

It would be better if you store the last visited page on your own, maybe with the help of a session.

If the user requests a page from your website the first time, start a new session and initialize last-URI with the current URI. Update this last-URI whenever another page is requested until it’s the login page. Now if the authentication is successful, you can redirect to user to the URI in last-URI.

And if you have a login form on every page, use a hidden input where the current URI is stored in.

Gumbo 2009-12-31 08:54:30

-1: See other question for Multiple Tab Issue.

Chacha102 2009-12-31 09:21:14

Answer 4

+1 A:

if(user_not_logged_in())
{
    $link = "http://example.com/login?continue=path/to/current/page";
    echo '<a href="'.$link.'">Loign</a>';
}

This is how I, and sites like Google, does it. You would need to make sure that you check the continue variable and sanitize it of weird URLs first however.

Another option is use AJAX, and allow the user to login from any page. User logs in, you submit the form via AJAX, refresh when the request comes back.

I think you might be asking if the user specifically clicks on the login link on a menu, you automatically think that the user wants to be redirected to the page that they pressed the button from. This I believe is a flaw in logic. Take StackOverflow. Just because I press login doesn't mean I want to return to the question I was last on.

However, there are some instances that it would be correct to assume the person wants to go back, such as if I upvoted a question and got the popup telling me to login. If I clicked the link there, it would be safe to assume that I want to go back. But just the login link on the nav bar doesn't have that implied meaning.

Chacha102 2009-12-31 09:12:04

ansaurus

tags:

views:

answers:

PHP: Returning a user to their original page after login

related questions