9

Let's say I want to navigate to the contact page. But in order to get there, the site requires me to login. After logging in, I'm supposed to be redirected to the contact page, but I'm somewhere else. What should I do such that I should be redirected to the page I want after logging in?

I have a strong feeling that this has something to do with sessions but nonetheless. What should the approach be?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
mist
  • 91
  • 1
  • 2

3 Answers3

10

You have three general approaches:

  1. Store the previous page in the session;
  2. Store the page as a GET variable; or
  3. Do an internal redirect to the login page.

(1) looks something like:

<?php
session_start();
if (!$_SESSION['userid']) {
  $_SESSION['page'] = '/contact';
  header('Location: /login');
  exit;
}
...
?>

On successful login retrieve $_SESSION['page'] and redirect.

(2) is similar except there is no session variable. Instead you have:

header('Location: /login?return=/contact');

to pass the redirect. The login page will have to include it as a hidden form field on the page that presents the user with a request for the username and password.

(3) is similar but doesn't redirect to a separate page. Instead each page can potentially be a login page. If the user isn't logged in a login form is presented instead. The URL will still be "/contact". Each page will detect and handle log in attempts.

The advantage of this method is one less external redirect and it's easier to handle submitted forms. By this I mean that imagine someone fills out a form on one of your pages and then clicks submit. The system sees their login has expired. If you redirect the user to a new page and then redirect back they will probably need to re-enter all the form fields. If you handle the login implicitly you can include all the form fields as hidden inputs and once logged in seamlessly treat it as a submission of the original page.

cletus
  • 616,129
  • 168
  • 910
  • 942
4

The approach I normally use:

  1. On your contact page, redirect to the login page if the user is not logged in.
  2. On the login page, use the $_SERVER['HTTP_REFERER'] variable (which will be set to the page the user came from, i.e. the contact page) and store that as a hidden field.
  3. After the user logs in, redirect them back to the page they were on.

The beauty about this is that it automatically works for all pages that require being logged in without having to set session variables on each page.

One caveat: when logging in you should check that the page in the referer is on your site, not a completely different site, in case the user happened to come from Google, for example.

DisgruntledGoat
  • 70,219
  • 68
  • 205
  • 290
2

I tend to redirect to the login page, passing the current URL in the query string.

The page to protect

session_start();

if (!isset($_SESSION['user_id']))
{
    // Fetch current URL
    $this_url = $_SERVER['REQUEST_URI'];

    // Redirect to login page passing current URL
    header('Location: login.php?return_url=' . urlencode($this_url));
    exit;
}

// Continue processing
echo 'Hello from this page';

The login page

session_start();

// Simulate logging in user
$_SESSION['user_id'] = 1;

// Fetch URL to redirect to
$return_url = isset($_GET['return_url']) ? $_GET['return_url'] : 'site_home.php';

// Redirect back
header('Location: ' . $return_url);

In the code above I just simulate the process of logging in. Normally the user should submit their credentials through a form, the credentials are verified and then the user is logged in. The URL of the page to redirect back to must be maintained through this process. You can either continue to pass the URL in the query string or through a hidden input field in the form.

Stephen Curran
  • 7,433
  • 2
  • 31
  • 22