Robert Erbaron wrote:
> I've been reading up on login mechanisms using redirects, and have a
> basic mechanism down.
>
> a1.php:
> <?php
> $site_title='My Site';
> if (isset($_SESSION['errmsg_s']))
> {$errmsg = 'Warning! '.$_SESSION['errmsg_s'].'!';}
> else
> {$errmsg = ''; }
> if (isset($_SESSION['email_s']))
> { unset($_SESSION['email_s']);}
> echo '<h1>Welcome to '.$site_title.'</h1><br>';
> echo $errmsg;
> ?>
> <!-- form goes here and calls a2.php -->
>
> a2.php:
> <?php
> $email = $_POST['email'];
> if // (test email for goodness against database) {
> $_SESSION['email_s'] = $email;
> unset($_SESSION['errmsg_s']);
> // stuff successful login into database
> session_write_close();
> header('Location: a3.php');
> exit;}
> else {
> $_SESSION['errmsg_s']="Re-enter your email";
> unset($_SESSION['email_s']);
> session_write_close();
> header('Location: a1.php');
> exit;}
> ?>
>
> a3.php:
> <?php
> if (empty($_SESSION['email_s'])) {
> session_write_close();
> header('Location: a1.php');
> exit;}
> $email = $_SESSION['email_s'];
> echo 'Hello there,'.$email.'. We are glad to have you here.<br>';
> ?>
>
> OK, looks like this handles refresh (resubmit) and back button issues.
> Hitting back when on page 3 empties 'email', so resubmitting does a
> brand new login. (If I'm missing something, holler.)
>
> However, the seminal article at
> http://www.theserverside.com/tt/articles/article.tss?l=RedirectAfterPost
> says:
> - Never show pages in response to POST
> - Navigate from POST to GET using REDIRECT
> - Always load pages using GET
>
> I get the first and the second, and understand how to implement them.
> The third, though. Sorry, I'm missing something. I simply don't
> understand what they mean or how to do it. Can someone translate my
> little a3.php page into 'using GET' instead of just grabbing the
> session var again? And why is that necessary?
a standard HTTP request is a GET request.
using firefox and one of a number of extensions (firebug springs to mind)
you can actually view the request headers that are sent.
>
> (P.S. I'll get to the issue of rearchitecting this via require instead
> of using header() redirects,cough, cough, Richard Lynch, cough, cough
> :) in a future message. One step at a time...)
yes - abusing redirects as described is wasteful. and certainly it's the
first time I've ever heard the statement 'Never show pages in response to POST'
sounds like hubris too me.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
