-1

When a user tries to log in to my site, his user name and password are sent as POST variables. When the page loads, I get the variables, process them and decide whether log in was successful or not. Then I render my page containing a message informing the user of their success or failure to log in.

My problem is that if the user hits F5 or refresh, the browser prompts them to resend the log in data. Is there a way to avoid it without reloading the page? Some javascript maybe? If not, then I can send a header to reload the page, but how would I display the message to the user?

Right now I have a user_message object containing an array of information to show the user on page load.

PeeHaa
  • 71,436
  • 58
  • 190
  • 262
ppp
  • 2,035
  • 9
  • 32
  • 52

5 Answers5

5

You should redirect to the new page. This way when the user refreshes the page there will be no POST variables.

form -> form handler -> success / failure page

Where the second arrow is the redirect.

PeeHaa
  • 71,436
  • 58
  • 190
  • 262
  • So there is no javascript way to settle this? – ppp Mar 31 '12 at 18:40
  • You could AJAX Post the data instead of making a normal form request. THere is no other solution since the browser "caches" the last whole(!) request incl. the sent data. – Julius F Mar 31 '12 at 18:42
  • @AnPel What do you mean by "javascript way"?? The form is handled by PHP right so I don't see what Javascript has to do with it. Could you please elaborate? – PeeHaa Mar 31 '12 at 18:45
  • @RepWhoringPeeHaa the prompt to resend the form data is browser issued, php has nothing to do with it. Maybe the prompt could be manipulated or even not shown in some way. – ppp Mar 31 '12 at 18:49
  • @AnPel You say: "Then I render my page containing a message informing the user of their success or failure to log in." That means PHP renders the page right? If not I have question for you: You aren't trusting JS to do any credential validating do you? – PeeHaa Mar 31 '12 at 18:52
  • php renders the page and the page contains the message. my problem is not the message, is that the prompt to resend the data might annoy the users. so perhaps there was a way to force the browser not to shw the prompt. besides, users dont usually log in to a page and refresh, so I don't expect my server to be really overloaded by requests. – ppp Mar 31 '12 at 18:57
  • "php renders the page" Actually what I am saying is. Instead of letting PHP just render the page first let it do a redirect... – PeeHaa Mar 31 '12 at 19:03
  • @RepWhoringPeeHaa Thank you for your time, +25rep from me. But I really believe we haven't understood each other at any point in the conversation above. – ppp Mar 31 '12 at 19:13
  • @AnPel that might just be the case wanna explain in chat? http://chat.stackoverflow.com/rooms/9543/peehaas-room – PeeHaa Mar 31 '12 at 19:15
3

The solution to this is the PRG pattern. You process the login information from the page that is POSTed, then you redirect to another (result) page with GET.

Jon
  • 428,835
  • 81
  • 738
  • 806
2

You may want to use the PRG Pattern

It prevents the user from re-sending by redirecting him to a new page. This means an additional roundtrip but that is mostly no problem.

Christoph
  • 50,121
  • 21
  • 99
  • 128
1

You can check the POST variables, decide whether the login is succesful or not and execute a header('Location: success.php'); or something.

Rick Kuipers
  • 6,616
  • 2
  • 17
  • 37
1

Do a redirect to another URL (or even the same, but the next time it will be a GET request intead of POST) using "Location: whatever" header. Before that, store some info either in the session with $_SESSION variable. Or you can save your message in the URL, just redirect the user to loginresult.php?badlogin=1. In the destination page, show whatever message you need.

kuba
  • 7,329
  • 1
  • 36
  • 41