doubledee Posted December 17, 2011 Share Posted December 17, 2011 If a user is on Page X, but not logged in, when they log in to my website, I want them to return back to Page X (in this example). To handle this, I am adding this code to the top of each webpage... // Set current Script Name. $_SESSION['returnToPage'] = $_SERVER['SCRIPT_NAME']; And then as part of my Log In script I have... // Redirect User. if (isset($_SESSION['returnToPage'])){ header("Location: " . BASE_URL . $_SESSION['returnToPage']); }else{ // Take user to Home Page. header("Location: " . BASE_URL . "index.php"); } What do you think about this approach? Thanks, Debbie Quote Link to comment Share on other sites More sharing options...
kicken Posted December 17, 2011 Share Posted December 17, 2011 Sounds fine to me. A lot of places just pass the current url as a hidden input in the login form. Either way is probably fine. Using the session would prevent people from fiddling with the url. Quote Link to comment Share on other sites More sharing options...
Ivan Ivković Posted December 20, 2011 Share Posted December 20, 2011 This won't work if you put that code in each of the webpage parts. Reasons: -if it's on EVERY page, then it's in the login page, too. So the login page is also marked in the $_SESSION cookie. After the users login, they'll be redirected to the login form? Sorry, not what you want there. -it's messy. If you want to put code that repeats, put it in your includes file. You can also : use user's browser history to navigate him one page back (history.back() in JavaScript) implement the login form somewhere in the page so you don't even have to do that. If you're using it in your includes file, you can exclude the code in your login.php like this: if(explode('/', $_SERVER['PHP_SELF']) != 'login.php'){ // Do your session tagging stuff. } Or if you're doing it manually on every page (which I don't find practical), just don't put it in login.php file. xD And one more thing, I suggest you don't use whole urls, just explode it till the name of the file so you get 'file.ext' format like I did here. Saves you from a lot of server path error stuff. Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 20, 2011 Author Share Posted December 20, 2011 This won't work if you put that code in each of the webpage parts. Reasons: -if it's on EVERY page, then it's in the login page, too. So the login page is also marked in the $_SESSION cookie. After the users login, they'll be redirected to the login form? Sorry, not what you want there. Agreed, but I was just going to put it on pages where you'd want to return to after logging in. -it's messy. If you want to put code that repeats, put it in your includes file. Okay. You can also : use user's browser history to navigate him one page back (history.back() in JavaScript) Except when JavaScript is off... implement the login form somewhere in the page so you don't even have to do that. If you're using it in your includes file, you can exclude the code in your login.php like this: if(explode('/', $_SERVER['PHP_SELF']) != 'login.php'){ // Do your session tagging stuff. } I have heard that $_SERVER['PHP_SELF'] is insecure... (Hackers can insert any page in that function...) Is there a way to do that another way? BTW, how does your code work? Explode is supposed to return an array of substrings, so how can you compare an array to 'login.php'?? Or if you're doing it manually on every page (which I don't find practical), just don't put it in login.php file. xD Right! And one more thing, I suggest you don't use whole urls, just explode it till the name of the file so you get 'file.ext' format like I did here. Saves you from a lot of server path error stuff. Except you assume that all files are in the same directory which they may not be... Thanks, Debbie Quote Link to comment Share on other sites More sharing options...
scootstah Posted December 20, 2011 Share Posted December 20, 2011 I have heard that $_SERVER['PHP_SELF'] is insecure... (Hackers can insert any page in that function...) Even if they could, so what? They can also just go to the address bar and put any page in it. Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 20, 2011 Author Share Posted December 20, 2011 I have heard that $_SERVER['PHP_SELF'] is insecure... (Hackers can insert any page in that function...) Even if they could, so what? They can also just go to the address bar and put any page in it. Because they could re-direct your user off of your site!!! (This is a pretty well established non-no in PHP. Google $_SERVER['PHP_SELF']...) Debbie Quote Link to comment Share on other sites More sharing options...
Ivan Ivković Posted December 20, 2011 Share Posted December 20, 2011 Oh! Sorrry! Yuycks, another fail of mine. I forgot this: if(end(explode('/', $_SERVER['PHP_SELF'])) != 'login.php'){ // end function returns the last array row // Do your session tagging stuff. } "Except when JavaScript is off..." Who turns off Javascript? But okay, you're right technically. That one falls into water. "Except you assume that all files are in the same directory which they may not be..." Well the directory still doesn't matter, I hope you don't name any of your files the same name. About PHP_SELF, I didn't know that cause I'm not much worried about security, since I develop mostly local CMS.. Thanks! Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 20, 2011 Author Share Posted December 20, 2011 Oh! Sorrry! Yuycks, another fail of mine. I forgot this: if(end(explode('/', $_SERVER['PHP_SELF'])) != 'login.php'){ // end function returns the last array row // Do your session tagging stuff. } That makes more sense. "Except when JavaScript is off..." Who turns off Javascript? But okay, you're right technically. That one falls into water. More people than you'd think. (Any solution that relies solely on JavaScript with no fall-back is a *BAD* idea...) "Except you assume that all files are in the same directory which they may not be..." Well the directory still doesn't matter, I hope you don't name any of your files the same name. I don't follow you?! If I was reading the article located here... /articles/postage-meters-can-save-you-money.php ...and my log in page is here... /members/login.php ...then taking your advice and stripping off the path will NOT get me from "login.php" back to "postage-meters-can-save-you-money.php" BTW, you don't seem to be concerned about the shortcomings of $_SERVER['PHP_SELF']... Isn't there another PHP function that does the same thing but is safer?? Debbie Quote Link to comment Share on other sites More sharing options...
Ivan Ivković Posted December 20, 2011 Share Posted December 20, 2011 Stripping path was just for a file-check. Full paths should be stored in a session file. I'm not concerned, since I only do local stuff (I'm not on any server), but as I progress, I will know more. Maybe this helps? http://www.mc2design.com/blog/php_self-safe-alternatives And I was just using PHP_SELF cause I used it at the time, so, another fail of mine. And another lesson for me. Quote Link to comment Share on other sites More sharing options...
MasterACE14 Posted December 20, 2011 Share Posted December 20, 2011 I think you can use $_SERVER['SCRIPT_NAME'] instead, don't quote me on this though. Quote Link to comment Share on other sites More sharing options...
kicken Posted December 20, 2011 Share Posted December 20, 2011 BTW, you don't seem to be concerned about the shortcomings of $_SERVER['PHP_SELF']... Isn't there another PHP function that does the same thing but is safer?? There are other ways to determine the files name yes. PHP_SELF isn't as bad as some people make it out to be though. The only real danger is if you output it to a page without running it through htmlentities first. Using it in other ways is not generally a problem. Someone can't completely change PHP_SELF to some other url like you implied above. They can only add additional information to the URL. In the example above that might cause your if condition to fail, but it's not any sort of big problem really. The user would just end up back at the login page after logging in. People who use your site as intended will never have this issue, only people who try and abuse it would. Make a page and print_r($_SERVER), that will show you what your alternatives are. I believe a 'safer' alternative to PHP_SELF is SCRIPT_NAME but I can't remember for sure. I typically don't use either value. Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 20, 2011 Author Share Posted December 20, 2011 Stripping path was just for a file-check. Full paths should be stored in a session file. Oops! My bad! Debbie Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 20, 2011 Author Share Posted December 20, 2011 BTW, you don't seem to be concerned about the shortcomings of $_SERVER['PHP_SELF']... Isn't there another PHP function that does the same thing but is safer?? There are other ways to determine the files name yes. PHP_SELF isn't as bad as some people make it out to be though. The only real danger is if you output it to a page without running it through htmlentities first. Using it in other ways is not generally a problem. Someone can't completely change PHP_SELF to some other url like you implied above. They can only add additional information to the URL. In the example above that might cause your if condition to fail, but it's not any sort of big problem really. The user would just end up back at the login page after logging in. People who use your site as intended will never have this issue, only people who try and abuse it would. Make a page and print_r($_SERVER), that will show you what your alternatives are. I believe a 'safer' alternative to PHP_SELF is SCRIPT_NAME but I can't remember for sure. I typically don't use either value. Doesn't the constant '__FILE__' tell you what page you are on? Debbie Quote Link to comment Share on other sites More sharing options...
Ivan Ivković Posted December 20, 2011 Share Posted December 20, 2011 Stripping path was just for a file-check. Full paths should be stored in a session file. Oops! My bad! Debbie Ya, I did that because if you check for the file from different servers, you'd have to manually change the directory stuff.. So let's just stick to the file. About the constant, yippie! Hope I helped in any way. Cheers! P.S. I'm new to this forum and I really like it... Quote Link to comment Share on other sites More sharing options...
kicken Posted December 20, 2011 Share Posted December 20, 2011 Doesn't the constant '__FILE__' tell you what page you are on? The constant __FILE__ tells you what file is currently executing. This will change for included files. eg: common.inc.php <?php var_dump(__FILE__); ?> index.php: <?php include 'common.inc.php'; var_dump(__FILE__); ?> The var_dump inside of common.inc.php will output a path such as: /home/doubledee/html/common.inc.php where as the one inside index.php will output: /home/doubledee/html/index.php So, you can use __FILE__ to determine what file your currently executing in, but not what file was actually requested. __FILE__ is mainly useful for logging errors or deriving file locations relative to the current file. Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 20, 2011 Author Share Posted December 20, 2011 Stripping path was just for a file-check. Full paths should be stored in a session file. Oops! My bad! Debbie Ya, I did that because if you check for the file from different servers, you'd have to manually change the directory stuff.. So let's just stick to the file. About the constant, yippie! Hope I helped in any way. Cheers! P.S. I'm new to this forum and I really like it... I think this is a *safer* way to get the current file name... $currentFile = basename($_SERVER['SCRIPT_NAME']); Someone please verify this!! Thanks, Debbie P.S. Welcome Ivan! Glad to have you here! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.