In light that everyone pointed out how insecure the HTTP_REFERER value is since it can be spoofed by the right browser and user...
Why not write a small PHP function and include it in the top of every critical page. When the page is loaded your routine will check required credentials. If the user need to login to see the page then display another include. Do not refer them to another page or URL. Then you do not have to worry about where they came from to be able to send them back. Then once they have posted the sign on form it posted back to itself see PHP_SELF. This is all along the line of have a form page that when submitted sends the information to itself and not another form processing page. You can check the PHP variable to see if the form was submitted or if the user just landed on the given page. Regards, Paul --- Jer <[EMAIL PROTECTED]> wrote: > > This technique doesn't seem to keep the variable. > > Here's how it should work: > > 1) User arrives at site > 2) User searches (queries MySQL DB) > 3) Search results page is displayed. > 4) The search result is retrieved by passing a variable in the URL > 5) In order to update information on the page, the user must log in. > 6) The user goes to the log in page (which is two pages...the form and > the log-in confirmation page). > > And this is where I'm stuck. > > The user should be able to log in from any page on the site (either > the main page, the search results page, the page displaying the row > from the search, etc. etc. etc.). For every one of these, the user > should be able to get back to where they initiated the log-on from. > That includes saving the variables that are passed in the URL. So > every search and every page is completely different. > > In this case is HTTP_REFERER the best bet? My concern, however, is > that it's not a 100% of the time solution. What kind of code could I > include for those who have configured their browsers to block it...so > that they would always be transported to the main page or something)? > > Jer > > --- In [email protected], "Conor Doyle" <[EMAIL PROTECTED]> wrote: > > I do this on my site by capturing the url, base64 encoding it, passing > > it to the login page. The login page will then use that information > > after the user is authenticated. Example: > > > > // I put this in my 'security' script - the script that checks if the > > user is logged in // > > $url = $_SERVER['PHP_SELF'] ; > > $url = base64_encode($url); > > header("location:http://www.foo.com/loginform.php?url=$url";); > > > > > > // this is in the login in script. // > > $url = base64_decode($url); > > $base = $_SERVER['SERVER_NAME']; > > $fullurl = $base.$url; > > > > Once they are logged in, I use a meta re-direct and a straight text link > > to direct the user to the previous page: > > > > <a href="$fullurl">Continue...</a> > > > > Now hopefully the people here who actually know what they are doing > > won't see a ton of security issues with this script. ;-) > > Additionally, there is probably a more elegant solution to this problem > > that I'm not aware of... > > > > HTH, > > > > Conor > > > > > > > > > > -----Original Message----- > > From: Jer [mailto:[EMAIL PROTECTED] > > Sent: Thursday, April 07, 2005 8:40 AM > > To: [email protected] > > Subject: [php-list] Back to original page after login > > > > > > > > I'm working in my first site using authentication and sessions. Users > > can log in from any page on the site. > > > > However...when a user logs in, how do I direct them back to the page > > they were viewing? This would include the variables that are passed to > > the MySQL database. > > > > Is there a way to look back in the browser history a couple of pages? > > > > Jer > > > > > > > > > > > > Community email addresses: > > Post message: [email protected] > > Subscribe: [EMAIL PROTECTED] > > Unsubscribe: [EMAIL PROTECTED] > > List owner: [EMAIL PROTECTED] > > > > Shortcut URL to this page: > > http://groups.yahoo.com/group/php-list > > Yahoo! Groups Links > > > > Community email addresses: Post message: [email protected] Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] List owner: [EMAIL PROTECTED] Shortcut URL to this page: http://groups.yahoo.com/group/php-list Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php-list/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
