|
|
Posted by Gordon Burditt on 10/26/05 21:08
>@Gordon
>I don't completely inderstand the next part:
>> "Well, if it's just a random link, it probably won't have your hidden
>> form-field with the place to go back to listed. isset($_PUT['go_back_to'])
Oops. That should be isset($_POST['go_back_to']).
>> might be useful to test this. "
>I understood that i should use the hidden field, but could you please
>try to explain (with other words) what you mean with that part?
If you have a hidden field in your login form, say:
<input type="hidden" name="go_back_to" value="http://www.domain.com/foo.php">
(the value part will be generated from some variable like
$_SERVER['REQUEST_URI'])
on all of your login pages, then when the user clicks the SUBMIT button,
you will have "http://www.domain.com/foo.php" in $_POST['go_back_to'].
If someone else sets up a non-form link, $_POST['go_back_to'] will
be empty. A quick but unreliable way to test if one of your forms
was used is to test isset($_POST['go_back_to']). This should have
no false negatives (your login forms *ALWAYS* have the hidden field).
There might be false positives. So if that variable isn't set,
it DEFINITELY isn't one of your login forms.
Someone CAN copy the HTML for your login form and set it up on another
server.
>@Justin,
>I have the $_SERVER['REQUEST_URI'] implemented in some parts of the
>site already. And it always works AFAIK ...
>Could there be certain circumstances on my site that would have it to
>fail?
Gordon L. Burditt
Navigation:
[Reply to this message]
|