0

I do have a landing page in my website, in each page i have a PHP code which will be check the cookies and if user has the specific cookie it will stay at that page and if doesn't it will redirect to the landing page. On the landing page i do have a button which when users click on it, the cookie will be created.

When user clicks on the button the pages should goes back to the previous page which was before. My code is

if(isset($_COOKIE['username'])){
   $_COOKIE['username'];
   header('location: http://example.com/main');
}
else{
//
}

Is there anyway to find the previous page link or original requested URL?

Amir
  • 537
  • 2
  • 8
  • 24

1 Answers1

1

Yes, you can use the HTTP_REFERER value found in the $_SERVER superglobal:

if(isset($_COOKIE['username'])) {
    $_COOKIE['username']; // <-- what is this for? What are you doing with it?
    header('location: http://example.com/main');
    die();
}
else{
    header(
        'Location: ' . 
        !empty($_SERVER['HTTP_REFERER']) ? 
            $_SERVER['HTTP_REFERER'] : 
            'http://example.com/access_denied' // In case HTTP_REFERER is blank, fallback to this
    );
    die();
}

Note that you shouldn't depend on this value for strict security reasons, however as a "bounce the user to the previous page" function, this should be adequate! Don't forget to use exit or die statements after sending redirect headers or the rest of your script will still execute!

Note from the docs about HTTP_REFERER:

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

sjagr
  • 15,983
  • 5
  • 40
  • 67
  • an extra nibblet would be to dump out some javascript with `history.go(-1)`. doesn't always work, but also doesn't depend on the server having received a valid referer. – Marc B Oct 08 '14 at 18:42
  • Thanks @Fred-ii-, that's why I said there shouldn't be a dependence, but if the client sent a manipulated `HTTP_REFERER` in this scenario, they would just be bounced back to that manipulated path... – sjagr Oct 08 '14 at 18:47
  • @MarcB It's good thought, however if users comes from google or somewhere else they will get back too there again, is there anyway to prevent that? – Amir Oct 08 '14 at 19:06
  • not really. by design you can't see WHAT you're `go()`ing to, because some of those urls might have nothing to do with your site (e.g. google result->direct to your page). But again, since you can't trust ANYTHING the client is providing, you're limited in available options. – Marc B Oct 08 '14 at 19:07
  • @Amir What you want is not the approach I'd take anyways. If you need to bounce a user because they're not logged in, I'd return an "access denied" page with a login prompt, or just a login prompt in general. Eliminates a lot of guesswork! – sjagr Oct 08 '14 at 19:09
  • @sjagr Your code with die gives me a blank page and without die it's do nothing. – Amir Oct 08 '14 at 19:15
  • @Amir Is there **any** output (`echo`, HTML, or text of any sort) before the `header()` call in your code? – sjagr Oct 08 '14 at 19:17
  • @sjagr all i have before header is what i put in my question, it seems your code even break my cookie check process. – Amir Oct 08 '14 at 19:20
  • @Amir I've run it through the linter with no issues. Did you check your error logs? [Hop in this chat room when you have a moment](https://chat.stackoverflow.com/rooms/62697/how-to-get-the-requested-url-from-previous-page) – sjagr Oct 08 '14 at 19:25