Re: The prefered 'login' procedure and redirect.

From: Andy Hassall (andy_at_andyh.co.uk)
Date: 03/24/05 

Date: Thu, 24 Mar 2005 21:39:31 +0000

On Thu, 24 Mar 2005 06:56:25 -0000, "Simon" <spambucket@myoddweb.com> wrote:

>I have a Login.php page that logs the user in and out.
>I has two forms within the page, (depending on what we are trying to do),
>either one to log in or out.
>
>The form calls itself using a post method and either logs the user in our
>out given the information from the form.
>but every pages use sessions and cookies, if the user is successfully logged
>in then the cookies and session values are updated, (as well as MySQL).
>
>Now it all works fine but I want to add some functionality where if the user
>goes to a restricted page they are sent to the login page, and if the login
>is successful then they will be sent back to the original restricted page.
>
>I can redirect the user from the restricted page to the login page, but
>returning to the restricted page after login is a problem as the headers
>have been sent already, (to do the login).
>Because the login uses sessions/cookies and tables I have to send the
>headers to do the login as I cannot login the user and then redirect them to
>a page, (the redirect must be before sessions/cookies I believe.
>
>So what is the 'preferred way to redirect users after a successful login?

 The simplest method, which only works if the resource you're protecting is a
PHP script, is to "include" a function to check the login on each protected
page before any output is sent.

 This function can check sessions/cookies/whatever, and since it's being called
by the protected page, it has access to variables such as $_SERVER['PHP_SELF']
or $_SERVER['REQUEST_URI'] and so on, in other words, all the information
required to reconstruct the URL being accessed, including GET variables.

 If the login function can't authenticate the user, it can present a login form
instead of the protected URL, posting back to your Login.php with a hidden form
field containing the URL. On successful login, it can issue a "Location" header
back to the URL saved from earlier.

 If you're protecting a POST things get a little more awkward since redirecting
POST data is not consistently supported across browsers, but you could transfer
the POST variables into a session variable, and reconstruct the form fields, so
after successfully logging in, it could present a "OK, you're logged in, now
click this submit button to retry your request" form.

 If you're trying to protect non-PHP resources, i.e. you can't add a check at
the top of each page, then it gets much more complicated. 

-- 
Andy Hassall / <andy@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool