A common way to do this is to pass the user's current page to the Login form via a $_GET
variable.
For example: if you are reading an Article, and you want to leave a comment. The URL for comments is comment.php?articleid=17
. While comment.php
is loading, it notices that you are not logged in. It wants to send you to login.php
, like you showed earlier. However, we're going to change your script so that is also tells the login page to remember where you are:
header("Location:login.php?location=" . urlencode($_SERVER['REQUEST_URI']));
// Note: $_SERVER['REQUEST_URI'] is your current page
This should send the user to: login.php?location=comment.php%3Farticleid%3D17
. login.php
should now check to see if $_GET['location']
is populated. If it is populated, then send the user to this location (in this case, comment.php?articleid=17
). For example:
// login.php
echo '<input type="hidden" name="location" value="';
if(isset($_GET['location'])) {
echo htmlspecialchars($_GET['location']);
}
echo '" />';
// Will show something like this:
// <input type="hidden" name="location" value="comment.php?articleid=17" />
// login-check.php
session_start();
// our url is now stored as $_POST['location'] (posted from login.php). If it's blank, let's ignore it. Otherwise, let's do something with it.
$redirect = NULL;
if($_POST['location'] != '') {
$redirect = $_POST['location'];
}
if((empty($username) OR empty($password) AND !isset($_SESSION['id_login']))) {
$url = 'login.php?p=1';
// if we have a redirect URL, pass it back to login.php so we don't forget it
if(isset($redirect)) {
$url .= '&location=' . urlencode($redirect);
}
header("Location: " . $url);
exit();
}
elseif (!user_exists($username,$password) AND !isset($_SESSION['id_login'])) {
$url = 'login.php?p=2';
if(isset($redirect)) {
$url .= '&location=' . urlencode($redirect);
}
header("Location:" . $url);
exit();
}
elseif(isset($_SESSION['id_login'])) {
// if login is successful and there is a redirect address, send the user directly there
if($redirect) {
header("Location:". $redirect);
} else {
header("Location:login.php?p=3");
}
exit();
}
Gotchas
You should run some validation against $_GET['location']
before sending the user there. For example, if I tell people who use your site to click on this link: login.php?location=http%3A%2F%2Fmalice.com%2Fevilpage.php
... then they will be sent to a foreign URL that will try to do something bad.
Always make sure to use urlencode
when passing URLs as $_GET
parameters. This encodes special URL characters (such as ?
, &
, and %
) so that they don't break your url (e.g.: login.php?location=comment.php?id=17
<- this has two ?
's and will not work correctly)
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…