Posted by Justin Koivisto on 10/26/05 18:49

frizzle wrote:
> I have a site with a MySQL backend. It has a member-system.
> Members login with a small login-form that appears on every page
> (via include())
> If members are logged in, the form disappears and a few extra links
> appear instead of the form.
>
> - If members log in, i want to redirect them, if succesful, back to
> the page they logged in from.
> Should i use an extra hidden form-field with the
> $_SERVER['request_uri'] or sould i use the $_SERVER['http_referer']?
>
> - In both cases, how can i check that the referer is from MY domain?
> if users login from http://domain.com/page.php i want to send them
> back to that page, and not to http://www.domain.com/page.php and
> vice versa.
> How do i make sure they come from 1 of my own pages, and it's
> accepted WITH and WITHOUT the 'www' prefix?

In my project (sf.net/projects/phpsecurityadm) I've been using the
REQUEST_URI. If you use the referer, that's the page they came from, so
if they have the login bookmarked, then it will be blank. If they have a
proxy or firewall, that may be blank as well... If you use PHP_SELF,
then on a site that uses mod_rewrite or the like would have problems
since it isn't finding what it expects.

Basically, I have this set up in my login form generation:
if(isset($_SERVER['REQUEST_URI'])){
echo ' <form method="post" action="',
$_SERVER['REQUEST_URI'],'">',"\n",
' <fieldset>',"\n",
' <input type="hidden" name="PSA_REQ_URI" value="',
$_SERVER['REQUEST_URI'],'" />',"\n";
}else{
echo ' <form method="post" action="',
$_SERVER['PHP_SELF'],'">',"\n",
' <fieldset>',"\n",
' <input type="hidden" name="PSA_REQ_URI" value="',
$_SERVER['PHP_SELF'],'" />',"\n";
}

This seems to have been working out well for me and other users.

--
Justin Koivisto, ZCE - justin@koivi.com
http://koivi.com

[Back to original message]