Databases
StackOverflow2013
Postsdbo
POTrying to understand the Post/Redirect/Get design pattern (implemented with PHP)
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POTrying to understand the Post/Redirect/Get design pattern (implemented with PHP)
    primarykey
    data
    text
    <p>All,</p> <p>Sorry in advance - I'm not a PHP expert or knowledgeable in design patterns, so this question might be a little basic...</p> <p>Anyway, I'm working on a web app that will require a login.</p> <p>My plan is to have something like this:</p> <p>index.php: this page will contain a simple form that allows users to enter a username and password. The form will POST the inputs to...</p> <p>login.php: this page will receive the inputs from index.php, and check those credentials against a database. If any of the inputs are missing, or the credentials check fails, the php script will <strong>REDIRECT</strong> the user back to index.php using:</p> <pre><code>header('Location: http://www.mydomain.com/index.php'); </code></pre> <p>If the credentials are valid, then login.php creates a session to establish the user's authenticated status:</p> <pre><code>session_start(); $_SESSION['authenticated'] = true; </code></pre> <p>Then, it determines what access type the user has. If he has "level 1" access, the script will redirect the user to level1.php using:</p> <pre><code>header('Location: http://www.mydomain.com/level1.php'); </code></pre> <p>If the user has "level 2" access, the script will redirect the user to level2.php using:</p> <pre><code>header('Location: http://www.mydomain.com/level2.php'); </code></pre> <p>Finally, when level1.php or level2.php is reached, the first thing they do is check the session. If the user is not authenticated, redirect him back to index.php:</p> <pre><code>session_start(); if (!isset($_SESSION['authenticated']) { header('Location: http://www.mydomain.com/index.php'); } else { // proceed to display the page } </code></pre> <p>Having this check in level1.php and level2.php will prevent users from accessing that page directly, without logging in.</p> <p>My first issue is this: this simple logic FAILS the first time through - when level1.php is reached, "isset($_SESSION['authenticated']" <strong>ALWAYS</strong> returns false, so the user is always redirected back to index.php. If he enters the exact same credentials a second time, the process works as it should.</p> <p>In short, for reasons I don't understand, it seems the session that's set by login.php is not found by level1.php - I assume because of the redirect. In other words, the check on level1.php seems to fail until/unless a round trip is made to the client's browser.</p> <p>Since every site that requires login has already solved this problem, this shouldn't be a novel challenge, and their should be a very established pattern for it. How should I handle it?</p> <p>A related question... I've seen similar questions asked here before, and most answers usually involve a solution in which pages are POSTing back to themselves. This seems a little wierd - ideally, I'd like to have each PHP page perform a specific job:</p> <ul> <li>index.php - display a form to capture credentials, then post them to login.php</li> <li>login.php - evaluate the user's credentials, then direct them to the appropriate page</li> <li>level1.php &amp; level2.php - display the appropriate content</li> </ul> <p>Is this a flawed setup? If so, what's the better setup?</p> <p>And generally - if one page establishes a session, then redirects the user to another page - is there any way that second page can read the session?</p> <p>There's a great page on Wikipedia about Post/Redirect/Get:</p> <p><a href="http://en.wikipedia.org/wiki/Post/Redirect/Get" rel="nofollow">http://en.wikipedia.org/wiki/Post/Redirect/Get</a></p> <p>But it's a little conceptual for me - I'd like to see it explained with references to specific pages:</p> <p>E.g. a form on "page A" POSTs data to "page B", "page B" redirects the user to "page C", etc...</p> <p>And, I don't understand how it's implemented with sessions, if sessions aren't recognized when using redirects.</p> <p>Many thanks in advance for any advice and insights.</p> <hr> <p><strong>[UPDATE]</strong></p> <p>Thanks to Matt Ball's comment, I've refined the issue:</p> <p>login.php was setting the session and redirecting the user to the next screen:</p> <pre><code>session_start(); $_SESSION['authenticated'] = true; header('Location: http://www.mydomain.com/level1.php'); </code></pre> <p>However, when level1.php checked that session, "authenticated" was <strong>NOT SET</strong>:</p> <pre><code>session_start(); echo (isset($_SESSION['authenticated']); // returns false </code></pre> <p>However, if I changed login.php so that the header redirected to a <strong>RELATIVE</strong> url instead of an absolute one:</p> <pre><code>session_start(); $_SESSION['authenticated'] = true; header('Location: level1.php'); </code></pre> <p>Then, level1.php works like I expect:</p> <pre><code>session_start(); echo (isset($_SESSION['authenticated']); // now returns true </code></pre> <p>I don't understand why the relative URL makes a difference, but it does. So, at least my immediate issue is resolved.</p> <p>Many thanks to everyone who commented!</p> <hr> <p>Cheers, Matt Stuehler</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USMatt Ball
    1. USmattstuehler
    plurals
    1. PL
      singulars
      1. LTLinked
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POTrying to understand the Post/Redirect/Get design pattern (implemented with PHP)
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POTrying to understand the Post/Redirect/Get design pattern (implemented with PHP)
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POTrying to understand the Post/Redirect/Get design pattern (implemented with PHP)
      1. This table or related slice is empty.
      1. VTUpMod
    1. COA shot in the dark concerning the session-problem: did you call `session_start();` in level1.php? Another thing: for security reasons, you should not only check if the session is valid in level1...x.php but also if the user's level is sufficient. Otherwise a Level1-user could log in and then call level2.php manually.
      singulars
      1. POTrying to understand the Post/Redirect/Get design pattern (implemented with PHP)
      1. USSelect0r
    2. COYou should use a tool like Firebug+FireCookie to check that the PHPSESSID cookie is actually set when login.php send its headers, and that they exist also afterwards.
      singulars
      1. POTrying to understand the Post/Redirect/Get design pattern (implemented with PHP)
      1. USSirDarius
    3. COI think you need to start you session before you redirect back after the user has logged in
      singulars
      1. POTrying to understand the Post/Redirect/Get design pattern (implemented with PHP)
      1. USPhill Pafford
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload