tags:

views:

84

answers:

2

Oi!

I have wanted a returntosamepageafterlogin-feature on my site for a long time. But whats the best way?

I was thinking about saving the url into a session and when he/she logins, i check if the returnto-session if set, if it is, i redirect to that page

Is that safe/good?

+5  A: 

This is usually done by putting the URL for the previous page in the querystring of the login page.

EDIT: Make sure to validate that the URL is a relative path, and to correctly encode it.

SLaks
Yeah i see almost every site do this, but how to you make it safe? a white list?
Berra
Does it matter? You should be checking access on each page anyway -- there's more to access control than "Is the user logged in? Yes? They must have access then!" If someone passes a page they shouldn't have access to, you should already be blocking it. Otherwise someone could log in and go to your blocked page just by typing it into the address bar, and achieve the same thing as if they'd put it in the query string to your login page's URL.
cHao
How do you make it safe against what?
SLaks
The correct thing to-do would be to check for valid security on each page. That would insure that any redirect doctoring would fail if someone attempts to gain access to a page they shouldn't. I assume thats what you mean by safe?
Mark
No wonder why the internets are so unsafe. Doing this recommendation can lead to unintended results, such as: 1) client changes the url in form or in url to point to some unscrupulous porn site, making your own site now a known referrer; 2) Header injection or Response Splitting. Re: http://www.owasp.org/index.php/HTTP_Response_Splitting. Motto of the internet: "Trust No one", not even your clients.
bob-the-destroyer
@bob: Correctly implemented, this will lead to neither. The URL should be enforced as a relative path, and the header should be properly encoded.
SLaks
@Slaks You may want to add that caveat. Otherwise it could lead to false assumptions that doing this and only this is a-ok. I know onus is on the person who takes the advice, but still it would help.
bob-the-destroyer
A: 

Every page at the top (after proper initialization of the session & configurations, whatever preliminary & important you require), you need to fire one function (for example, "checkLogin()") to check & see whether the visiting user has got its session / cookie / permission (for that page) set, according to some specific conditions.
To check what all permissions are required for each specific page, you can pass some parameters regarding these permissions to the function definition, and authenticate the user as suitable.

If the condition(s) are set, you can redirect the user as an authenticated one to his requested page, otherwise just redirect him to your site's login page (with his requested page mentioned either in the query string or saved in a session variable). Now after proper login & setting of specific permissions for authentication, you can easily use the query string's value of requested page to redirect him to his destination.

Hope it helps.

Knowledge Craving