• 0

[PHP] redirect back to page after logging in

Asked by saiya,

 Share

Question

Rising Star

saiya

Posted
Posted

Hey,

does anyone know where I can get a script that will redirect my users back to the page they were viewing after logging in?

if i have user page2.php and they aren't logged in, they will be redirected to the index.php where the login page is. after login in how can they be taken back to page2.php where the content is viewable only if you are registered and logged in...

16 answers to this question

Recommended Posts

  • 0
Mentor

Hot

Posted
Posted

When they first visit the login page, look at the $_SERVER['HTTP_REFERER'] variable and either save the referring address in the session, or save a default address in the session if there was no referrer page. After they log in, redirect them to the address you stored in the session.

  • 0
Grand Master

Nagisan

Posted
Posted

Since your using php, try:

header('Location : http://www.website.com/page2.php');

The problem with that is it is not really dynamic enough, he wants them to return to whatever page they were on before hitting log in, page2.php was simply an example he used. You could however use that along with the first responses solution so you are able to grab the page they came from, then redirect them back there after login using the header function. But, I am not PHP expert (I have experience in it, but far less than many others)....so there may be a better way to handle it.

  • 0
Grand Master

Andrew Lyle Global Moderator

Posted
  • Global Moderator
Posted

What he could do, my original thought, but wanted to provide him with what he requested, is use a cookie or session, very easy to code.

And just enable parts of the page if the login returns successful.

  • 0
Rising Star

saiya

Posted
  • Author
Posted

I have it

if (!isset($_SESSION['user_id']))
{
header("Location: account.php");
}

which redirects the user back to account.php after login in.

but if the user was on a different page i would like them to be taken back to that same page dynamically after logging in.

Its cause after my session expires the user will be directed to the login page but then the login page directs them to the default page. I wanted them to be taken back to the page they were on after login in...

  • 0
Grand Master

Andrew Lyle Global Moderator

Posted
  • Global Moderator
Posted

I have it

if (!isset($_SESSION['user_id']))
{
header("Location: account.php");
}

which redirects the user back to account.php after login in.

but if the user was on a different page i would like them to be taken back to that same page dynamically after logging in.

Its cause after my session expires the user will be directed to the login page but then the login page directs them to the default page. I wanted them to be taken back to the page they were on after login in...

take a look at this page: http://ca.php.net/reserved.variables.server & http://www.tizag.com/phpT/phpsessions.php

My best bet would be to store each page as a session, excluding the login page. Once the user has finished the login section, read the session and add it to

header("Location: ". $_SESSION['page']);

  • 0
Enthusiast

Tom Bonez

Posted
Posted

Simply use:

<?php
$ref = $_SERVER['HTTP_REFERER'];
header( 'refresh: 0; url='.$ref);
?>

You can change the refresh limit depending on if you choose to display a message.

(I use this myself and it works a treat, any problems don't hesitate to message me :))

  • 0
Rising Star

saiya

Posted
  • Author
Posted

Simply use:

<?php
$ref = $_SERVER['HTTP_REFERER'];
header( 'refresh: 0; url='.$ref);
?>

You can change the refresh limit depending on if you choose to display a message.

(I use this myself and it works a treat, any problems don't hesitate to message me :))

Hmmmm, well after looking around the PHP.net sitr I put this together

function page_protect() {
session_start();

//check for cookies
if(isset($_COOKIE['user_id']) && isset($_COOKIE['username'])){
 	$_SESSION['user_id'] = $_COOKIE['user_id'];
 	$_SESSION['username'] = $_COOKIE['username'];
 }

if (!isset($_SESSION['user_id']))
{
$_SESSION['login_retval'] = $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'] ; // <- This is what I updated it with, I haven't tried it yet, but I got a feelings its wrong lol
header("Location: account.php");
}

  • 0
Enthusiast

Tom Bonez

Posted
Posted

Hmmmm, well after looking around the PHP.net sitr I put this together

function page_protect() {
session_start();

//check for cookies
if(isset($_COOKIE['user_id']) && isset($_COOKIE['username'])){
 	$_SESSION['user_id'] = $_COOKIE['user_id'];
 	$_SESSION['username'] = $_COOKIE['username'];
 }

if (!isset($_SESSION['user_id']))
{
$_SESSION['login_retval'] = $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'] ; // <- This is what I updated it with, I haven't tried it yet, but I got a feelings its wrong lol
header("Location: account.php");
}

Didn't read the part about it redirecting to index.php for login, I'd personally code this differently. If you don't find a solid solution to your problem when I've had some sleep I'll drop you a line :)

  • 0
Rising Star

saiya

Posted
  • Author
Posted

Didn't read the part about it redirecting to index.php for login, I'd personally code this differently. If you don't find a solid solution to your problem when I've had some sleep I'll drop you a line :)

ya, actually i'm pretty drain too. I'm going to bed now... been tinkering with this and and upload image script i'm getting headaches over.

you can check that out too if you would like to give some feed back ;)

https://www.neowin.net/forum/topic/897196-phpmysql-compare-session-info-to-db-in-a-query/page__gopid__592575702entry592575702

but yes, I think I'm not thinking about this correctly and might need some help getting the referral thing to work.

My thing was to have this scenario

index.php has login details, that when logged in takes you to account.php

say you access www.mysite.com/upload.php without being logged in, my page_protect() will take you to the index.php to login. But onces logged in instead of being redirected to account.php to be redirected to upload.php...

  • 0
Rising Star

saiya

Posted
  • Author
Posted

I'm no expert on the subject, but the suggestions in this thread are a great way to introduce XSS and injection vulnerabilities. All I'd have to do is set a cookie with a valid userid and username and get to someone else's account page.

well the cookies are sha1 with a salt. you would need to have to guess the entire string for it to match, I have a check on my pages also that the page cannot be accessed unless

user_id matches a md5(user_id) and the password in the cookie doesn't match the sha1(password) from the database.

Its probably still not fully protected, but since I'm learning this is how i figured...

  • 0
Rising Star

kyosuken

Posted
Posted

One solution i have seen is to append the previous url to the query string, ie like

if (!isset($_SESSION['user_id']))
{
header("Location: index.php?nav=".$whateverpageyouwerebrowsingbefore);
}

// $whateverpageyouwerebrowsingbefore would be something like /account/, /main/ or whatever

It's not much different than storing in a cookie the previous page, but it still need to be sanitized/validated against a list of permitted/allowed urls (or uri segments) you can include an associative array in all your page which maps your "route" to the correct redirect page. As for storing session information in a cookie : bad idea imo you should always store unimportant information in a cookie, even if it's encrypted, session are much more secure in this regard (even though you have to protect your app from session fixation vulnerabilities, but any serious dev will always do that unless they don't use sessions).

  • 0
Rising Star

saiya

Posted
  • Author
Posted

One solution i have seen is to append the previous url to the query string, ie like

if (!isset($_SESSION['user_id']))
{
header("Location: index.php?nav=".$whateverpageyouwerebrowsingbefore);
}

// $whateverpageyouwerebrowsingbefore would be something like /account/, /main/ or whatever

It's not much different than storing in a cookie the previous page, but it still need to be sanitized/validated against a list of permitted/allowed urls (or uri segments) you can include an associative array in all your page which maps your "route" to the correct redirect page. As for storing session information in a cookie : bad idea imo you should always store unimportant information in a cookie, even if it's encrypted, session are much more secure in this regard (even though you have to protect your app from session fixation vulnerabilities, but any serious dev will always do that unless they don't use sessions).

hmmm, i see

well i'm currently trying to set up a sessions table in my database to store the user sessions. try to be a little more secure that way, when I finish my site i'll look into extreme security measures and how to implements them. but for now i get a headeache thinking that far ahead or how more complicated things will be when i need to learn them.

  • 0
Rising Star

kyosuken

Posted
Posted

Securing a webapp/website isn't that difficult, you have ready to use libraries that can take care of it (somehow it's not automatic though, and for learning purpose anything "automatic" is evil).

The 4 most important things to recall when making a webapp are : XSS, XSRF (or CSRF), Session Fixations and SQL injection, xss is a matter of removing ability to run (mostly) any client code from your app :

Say you have a comment section somewhere in your code and it's to prevent people from injecting JS so that if someone hits the page they won't have spy scripts gathering your users session (for example).

CSRF/XSRF (Cross site request forgery) is to protect your admin functions, they should be built so that accessing them requires double authentication or in a separate process altogether, it's the trickier thing to protect.

Session fixations, well it's to prevent people to catch your session for one (through XSS usually) and access your website without even have to log in, there are a couple of ways to deal with that (special handshake at login, then stored in the DB ; the handshake is compiled and compared to the value stored in the DB each time a page is loaded, if the handshake is different, mostlikely to happen if someone got a session by vile means => logout/boot the user. Note that regarding session fixations the more restrictive you get the more likely you may kick legit users from accessing your applications. Things like transparent proxies, people behind nat etc etc... You will have to find the correct mix !. Also as you are using php, there is a server.ini settings that do not allow session information to be used as a query string (it disables the global variable $SSID if i recall)

And lastly Sql injection, (this is where validation comes in to play 99% of the time) attack vectors are most of the time forms/query strings/client cookies, validation should be done with anything that acts as an input, hopefully php has a bunch of tools that will help escape your sql commands.

But even if you master all of this and know how to protect your application, the number one flaw in your app will always be the dev, it's just a matter of "forgetting" to validate an input, or having a logic error in the code that will allow bad doers to f*ck around with your web app.

Edit: Fixed somethings that didn't make any sense, English is not my mother tongue.

This topic is now closed to further replies.
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • EA Sports UFC 6 review: Brutal, satisfying, and surprisingly accessible to newcomers

      By +Good Bot, Bad Bot · Posted

      I think he means you haven't reviewed previous UFC games. Of course it doesn't matter... Every time you just report on something that involves the President even if just simply what happened you guys usually get accused of being anti-Trump. We live in fun times.
    • Here is how I fixed Windows 11 not booting after clean installation

      By TheGhostPhantom · Posted

      So how did you solve the problem? Disabling Secure Boot isn’t a solution.
    • Here is how I fixed Windows 11 not booting after clean installation

      By rseiler · Posted

      Another devilish issue surrounding these certificates is what can happen with old, unsuspecting PCs that nevertheless have Secure Boot enabled. In my case, it was a Dell with a 3rd-gen Core chip (so about 13 years old). As of the last few weeks, it was suddenly BSOD'g within about 5 minutes of booting. Turns out it was because of MS's "Secure-Boot-Update" scheduled task, which is scheduled to run 5 minutes after login. It's explained in gory detail here (this is not my post, but it was where I found the answer), but the short version is that this legacy system would need fairly elaborate, manual certificate intervention since MS's automatic cert update method cannot work. How to do that is linked late in the thread. https://www.bleepingcomputer.c...od-caused-by-scheduled-task Secure Boot wasn't at all important for this particular PC, so I disabled it to be done with the problem.
    • Winhance 26.06.12

      By Copernic · Posted

      Winhance 26.06.12 by Razvan Serea Winhance is an open-source Windows enhancement utility designed to help users debloat, optimize, and customize Windows 10 and 11. It provides a user-friendly interface for removing unwanted apps, legacy components, and optional features safely, giving you more control over your system. With Winhance, you can improve performance, reduce clutter, and enhance privacy without the need for a clean install. Beyond basic debloating, Winhance offers extensive optimization tools. Users can tweak power plans, adjust gaming and performance settings, control notifications, and manage Windows Update behavior. Privacy-focused settings allow you to limit telemetry and data collection, while system customization options let you personalize the taskbar, Start menu, Explorer, and Windows themes. Winhance also supports installing or removing software efficiently, including external apps via WinGet integration, streamlining both new setups and daily maintenance. New AI privacy groups have been added for Windows AI, Microsoft Edge AI, and Microsoft Office AI, giving users clearer control over AI-related telemetry and feature usage. In addition, new settings in Gaming & Performance introduce AI taskbar pin toggles, options to remove AI apps, and controls for AI services and scheduled tasks, allowing users to better manage how AI components run in the background and appear in the system. For advanced users and IT professionals, Winhance integrates WIMUtil, a tool for creating custom Windows installation ISOs with automated configuration. You can generate autounattend.xml files, inject drivers, and apply your chosen Winhance settings automatically during installation. Most changes are non-destructive and reversible, with clear explanations in the GUI. Whether you’re optimizing a single PC or managing multiple systems, Winhance delivers a faster, cleaner, and highly personalized Windows experience. The Winhance.Installer.exe includes both Installable and Portable versions during setup. Winhance supports both Windows 10 and Windows 11 64-bit versions. It's regularly updated to ensure compatibility with the latest Windows updates and features. Winhance key features: Debloat Windows – Safely remove unwanted apps, features, and legacy components. Optimize Performance – Tune system settings for speed, responsiveness, and gaming. Privacy Enhancements – Control telemetry, data collection, and notifications. Power Management – Configure power plans and advanced energy settings. Windows Update Control – Adjust update behavior for stability and convenience. Theme Customization – Switch between light/dark mode and adjust system colors. Taskbar & Start Menu Tweaks – Modify layout, icons, and behavior. Explorer Customization – Adjust file explorer appearance and functionality. Software Management – Install/remove Windows apps and optional features. External Apps Installation – Deploy essential apps via WinGet integration. Configuration Management – Save, export, and import Winhance settings easily. Automation with WIMUtil – Create custom Windows ISOs with integrated settings. Autounattend.xml Generator – Automate Windows installations with preconfigured options. Driver Integration – Include current system drivers in custom ISOs. Non-Destructive Changes – Reversible settings with clear explanations in the GUI. Winhance 26.06.12 changelog: Features Builder Mode — build a Winhance config file or autounattend.xml without changing anything on the PC you're sitting at. Flip the new mode switcher to Builder, set everything the way you want it, and save the result as a Winhance config or an autounattend file ready for deployment on other machines. Sponsors & Supporters page — the exit donation dialog is gone. In its place, an in-app page (heart icon or the More menu) recognizes the businesses and individual supporters who keep Winhance free. It works offline and is fully localized. Change History — Winhance now keeps a receipt of everything it does. ChangeHistory.txt records every setting change (before and after values) and every app install or removal, with clear headers for config imports and bulk actions. Open it from the More menu. Hebrew language support — Winhance is now available in 29 languages. New Explorer customizations: desktop icon visibility toggles, This PC folder visibility, an icon cache size setting, and automatic thumbnail cache cleanup. New "All apps view" setting for the redesigned Windows 11 Start menu, and the Windows 11 system tray icons setting is now a dropdown with more control. App-local UI zoom — press Ctrl +/-/0 or use Ctrl+MouseWheel to scale the whole app, just like a browser. New External Apps: EA app, Ubisoft Connect, Battle.net, Rockstar Games Launcher, PowerShell, and Helium Browser. Bug Fixes Layouts no longer clip when the Windows text size slider is set above 100%. Accessibility: Narrator now announces setting names on toggles and dropdowns, previously unlabeled buttons are labeled, and progress updates are announced. Silent updates now respect your custom install location instead of reverting to the default. Cancel in Review Mode no longer clears your app selections. OneNote is now detected correctly for Win32 Click-to-Run installs. Clean Start Menu applies more reliably by also writing the group policy path. WinGet errors are no longer silent — error details now show in the terminal output. Fixed a startup crash on older Windows builds caused by a .NET runtime regression. Config import now converts power setting values correctly and no longer re-applies an already-active power plan. Improvements App icons load noticeably faster and cover almost everything now, including legacy capabilities and optional features — they come from a dedicated, checksum-validated icon repository and are fetched in parallel. Software & Apps polish: per-icon tooltips, extra table columns, an app sort dropdown, relocated search, and a cleaner compact view. A warning now appears when the Connected Devices Platform Service is set to Manual or Disabled, since some Windows features depend on it. Download: Winhance 26.06.12 | 61.5 MB (Open Source) Links: Winhance Website | Github | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Microsoft Windows 11 Pro and Office Home & Business 2024 is still 69% off

      By News Staff · Posted

      Microsoft Windows 11 Pro and Office Home & Business 2024 is still 69% off by Steven Parker Today's highlighted deal comes via our Apps + Software section of the Neowin Deals store, where you can save 69% on Windows 11 Pro + Microsoft Office Home & Business 2024. Upgrade your computing experience with Windows 11 Pro. This cutting-edge operating system boasts a sleek new design and advanced tools to help you work faster and smarter. From creative projects to gaming and beyond, Windows 11 delivers the power and flexibility you need to achieve your goals. With a focus on productivity, the new features are easy to learn and use, enhancing your workflow and efficiency. Whether you're a student, professional, gamer, or creative, Windows 11 Home has everything you need to take your productivity to the next level. New interface. easier on the eyes & easier to use Biometrics login*.Encrypted authentication & advanced antivirus defenses DirectX 12 Ultimate. Play the latest games with graphics that rival reality. DirectX 12 Ultimate comes ready to maximize your hardware* Screen space. Snap layouts, desktops & seamless redocking Widgets. Stay up-to-date with the content you love & the new you care about Microsoft Teams. Stay in touch with friends and family with Microsoft Teams, which can be seamlessly integrated into your taskbar** Wake & lock. Automatically wake up when you approach and lock when you leave Smart App Control. Provides a layer of security by only permitting apps with good reputations to be installed Windows Studio Effects. Designed with Background Blur, Eye Contact, Voice Focus, & Automatic Framing Touchscreen. For a true mouse-less or keyboard-less experience TPM 2.0. Helps prevent unwanted tampering Windows 11 Pro also includes a number of productivity-focused features, such as the ability to snap multiple windows together and create custom layouts, improved voice typing, and a new, more powerful search experience. Personal and professional users will enjoy a modern and secure computing experience, with improved performance and productivity features to help users get more done. Only on Windows 11 Pro If you require enterprise-oriented features for your daily professional tasks, then Windows 11 Pro is a better option. Set up with a local account (only when set up for work or school) Join Active Directory/Azure AD Hyper-V Windows Sandbox Microsoft Remote Desktop BitLocker device encryption Windows Information Protection Mobile device management (MDM) Group Policy Enterprise State Roaming with Azure Assigned Access Dynamic Provisioning Windows Update for Business Kiosk mode Maximum RAM: 2TB Maximum no. of CPUs: 2 Maximum no. of CPU cores: 128 Good to know: Length of access: lifetime Redemption deadline: redeem your code within 30 days of purchase Access options: desktop Max number of device(s): 1 Version: Windows 11 Pro Updates included Click here to verify Microsoft partnership Created with ChatGPT The essentials to get it all done. Microsoft Office 2024 Home is the latest version of Microsoft’s renowned productivity suite, which includes essential applications like Word, Excel, PowerPoint, and OneNote. This version is specifically designed for individuals and families seeking reliable tools for various home tasks, including document creation, spreadsheet management, presentation design, and note-taking. Office Home 2024 is for students and families who want classic Office apps on their Mac or PC. A one-time purchase installed on 1 PC or Mac for use at home or school. Lifetime license for MS Word, Excel, PowerPoint, & OneNote One-time purchase installed on 1 Windows PC for use at home or work Instant Delivery & Download – access your software license keys and download links instantly Free customer service – only the best support! Microsoft Office 2024 Home or Business for PC or Mac includes: Microsoft Office Word Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office OneNote Is it legit? Click here to verify Microsoft partnership Good to Know ONE-TIME PURCHASE INSTALLED ON 1 DEVICE This licensing type will be connected with your Microsoft Account, NOT your actual device. This is a one-use code. The product you are purchasing is NOT MICROSOFT 365. Please read the product details. Redemption deadline: redeem your code within 30 days of purchase Access options: desktop Full versions No subscriptions – no monthly/annual fees Version: 2024 Updates included Here's the deal: This Microsoft Office Pro 2024 + Windows 11 Pro bundle normally costs $448.99, but this deal can be yours from just $134.97, that's a saving of $314. For full terms, specifications, and license info please click the link below. Microsoft Office Pro 2024 + Windows 11 Pro for just $134.97 (was $448.99) Although priced in U.S. dollars, this deal is available for digital purchase worldwide. Support queries If you have queries or need support for any of the Neowin Deals, please use the contact form here. Neowin Deals are managed and sold by StackCommerce who represent Neowin on an affiliate basis. Why we post these deals We post these because we earn commission on each sale so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. So for those that keep moaning and complaining, be thankful we're still online for you to even do that. Other ways to support Neowin Whitelist Neowin by not blocking our ads Create a free member account to see fewer ads Make a donation to support our day to day running costs Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: Neowin benefits from revenue of each sale made through our branded deals site powered by StackCommerce.

  • Recent Achievements

    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later
    • One Month Later
      agatameier earned a badge
      One Month Later
    • Week One Done
      agatameier earned a badge
      Week One Done
    • Week One Done
      ssd21345 earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      518
    2. 2
      +Edouard
      198
    3. 3
      PsYcHoKiLLa
      147
    4. 4
      ATLien_0
      95
    5. 5
      Steven P.
      77
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!