Posted by Gordon Burditt on 10/26/05 19:04

>I have a site with a MySQL backend. It has a member-system.
>Members login with a small login-form that appears on every page
>(via include())
>If members are logged in, the form disappears and a few extra links
>appear instead of the form.
>
> - If members log in, i want to redirect them, if succesful, back to
> the page they logged in from.
> Should i use an extra hidden form-field with the
> $_SERVER['request_uri'] or sould i use the $_SERVER['http_referer']?

http_referer is sent from the browser, so it can't be trusted.
Also, many people turn it off or send nonsense for it. Some people
may not be able or willing to easily turn it back on for your site.
Use your hidden field. You have much more control over it.

> - In both cases, how can i check that the referer is from MY domain?

Well, if it's just a random link, it probably won't have your hidden
form-field with the place to go back to listed. isset($_PUT['go_back_to'])
might be useful to test this.

> if users login from http://domain.com/page.php i want to send them
> back to that page, and not to http://www.domain.com/page.php and
> vice versa.
> How do i make sure they come from 1 of my own pages, and it's
> accepted WITH and WITHOUT the 'www' prefix?

Parse the URL. If it's www.domain.com, change it to domain.com.
If it's not on a list of domains that are "yours", or not http or
https, or the field is missing entirely, send them to your home
page or someplace default. You could have a complete list of all
acceptable URLs where you have these login forms, but that's probably
too much work and not worth it. Just checking the domain is probably
enough.

Gordon L. Burditt

[Back to original message]