How do I redirect the user to the last active page when they login due to session time out using php? [closed]

I have built a little software using Vanilla PHP, I have implemented automatic logout for logged in users who have been inactive for quite some time, thing is, I want to redirect them to the last active page before they were logged out when they login but I do not know how to start, I was going to try the $_SERVER['HTTP_REFERER'] but I read where someone said that it was not a good option due to security reasons hence now I’m stuck on how to do this, any help would be greatly appreciated!

Answer

There is no need to store the page URL anywhere permanently, but in the query string of the redirect, or a cookie – you already know where the logout happened, just add the current URL to redirection request (I assume it points to something like /login) and viola – you have your redirection.

1. User gets logged out on /foo/bar
2. /foo/bar redirects to /login with the /foo/bar in mind (in query string, cookie, whatever you desire)
3. User logs in on /login
4. /login redirects to goto

❗ Please pay particular attention to sanitizing the goto variable if you redirect via back-end code. You don’t want to let someone redirect others to malicious.site through your server. Perhabs you could just limit the scope of that redirect manually, by treating goto as a local route regardless of it poinitng somewhere else (if goto points to http://example.com, you could just redirect to https://your.server/http://example.com and show the 404).

📕 Always sanitize user-controlled data before use, especially when it comes to redirects.

Example: https://your.site/foo/bar (logout happened) -> https://your.site/login?goto=/foo/bar (user authenticates again) -> https://your.site/foo/bar (user keeps using the site)