I have built a little software using Vanilla PHP, I have implemented automatic logout for logged in users who have been inactive for quite some time, thing is, I want to redirect them to the last active page before they were logged out when they login but I do not know how to start, I was going to try the $_SERVER['HTTP_REFERER']
but I read where someone said that it was not a good option due to security reasons hence now I’m stuck on how to do this, any help would be greatly appreciated!
Advertisement
Answer
There is no need to store the page URL anywhere permanently, but in the query string of the redirect, or a cookie – you already know where the logout happened, just add the current URL to redirection request (I assume it points to something like /login) and viola – you have your redirection.
- User gets logged out on
/foo/bar
/foo/bar
redirects to/login
with the/foo/bar
in mind (in query string, cookie, whatever you desire)- User logs in on
/login
/login
redirects togoto
❗ Please pay particular attention to sanitizing the goto
variable if you redirect via back-end code. You don’t want to let someone redirect others to malicious.site
through your server. Perhabs you could just limit the scope of that redirect manually, by treating goto as a local route regardless of it poinitng somewhere else (if goto points to http://example.com
, you could just redirect to https://your.server/http://example.com
and show the 404).
ð Always sanitize user-controlled data before use, especially when it comes to redirects.
Example:
https://your.site/foo/bar
(logout happened) -> https://your.site/login?goto=/foo/bar
(user authenticates again) -> https://your.site/foo/bar
(user keeps using the site)