PHP:登录后将用户返回到其原始页面 [英] PHP: Returning a user to their original page after login

问题描述

是否存在关于最佳实践"的有关最佳实践"的信息，该最佳实践"是关于如何在登录到您的网站后如何使用户返回其原始页面的?例如如果我在未登录的情况下正在查看StackOverflow问题，那么如何确保登录后回到该问题?

Are there any 'best practices' concerning how one should return a user to their original page after logging in to your website, specifically in PHP? e.g. if I'm viewing a StackOverflow question while not logged in, how would you ensure that I return to this question if I logged in?

根据我的研究，似乎很多建议中心都围绕$ _SERVER ['HTTP_REFERER']变量.基本上，您会记下引荐来源并将其存储在会话中，然后在完成后重定向回该页面.

From my research, it seems a lot of advice centers around the $_SERVER['HTTP_REFERER'] variable. Basically, you take note of the referer and store it in the session, then redirect back to that page when you're done.

问题是HTTP_REFERER充其量是不可靠的.

The problem with this is that HTTP_REFERER is unreliable at best.

这是由用户代理设置的.并非所有的用户代理都将设置此功能，有些用户代理提供了将HTTP_REFERER修改为功能的功能.简而言之，它不能真正被信任.
— [ http://php.net/manual/en/reserved.variables. server.php]

This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
— [http://php.net/manual/en/reserved.variables.server.php]

对引荐来源网站进行的任何修改以重定向到网站的其他区域，将通过常规权限检查进行处理.如果引荐来源网址被清空，则可以简单地将用户重定向到网站的首页，而不是重定向到他们来自的页面.不过，这似乎不必要地引起用户的敌意，我希望有更好的方法来解决此问题.

Any edits to the referer to redirect to other areas of the site will be handled by routine permissions checks. If the referer gets blanked out, it might be acceptable to simply redirect the user to the main page of the site rather than the page they came from. This seems needlessly user hostile though, and I was hoping there would be some better way to handle this.

推荐答案

在登录页面上:

<form action="controller/LoginController" method="post">
<?php

if (isset($_SERVER['HTTP_REFERER'])) {
  echo '<input type="hidden" name="l" value="'.htmlspecialchars($_SERVER['HTTP_REFERER']).'" />';
}

?>
<!-- the rest of the form -->
<input type="submit" />
</form>

在登录控制器上，输入$_POST['l']值，然后查看此URL是否在您自己的网站上.如果不是，请重定向到您的默认页面，否则重定向到该URL.

At login controller, you take in the $_POST['l'] value and see whether or not this URL is on your own website. If it isn't, redirect to your default page, else redirect to this URL.

请确保在登录页面上(如果用户已经登录)将用户重定向回首页或其他内容.这样可以防止出现诸如重定向回登录的情况.

Make sure that on your login page if user is already logged in, you redirect the user back to home page or something. This will prevent cases like redirecting back to login.

$_SERVER['HTTP_REFERER']是浏览器的职责.在大多数情况下，它也是相当可靠的.如果浏览器没有发送，或者您担心它，则可以使用会话.

$_SERVER['HTTP_REFERER'] is a browser responsibility. It is also most of the time rather reliable. If the browser doesn't send, or if you are worried about it, you can use session instead.

只需将$_SESSION['lastvisitpage']设置为当前页面URL.登录后，您将重定向到$_SESSION['lastvisitpage'].

on every page simply set $_SESSION['lastvisitpage'] to the current page URL. On login then you redirect to $_SESSION['lastvisitpage'].

由于用户可以随时伪造$_SERVER['HTTP_REFERER']，因此应该始终正确地转义任何其他用户提供的变量.

Since $_SERVER['HTTP_REFERER'] can be faked by a user at any time, one should always treat is any other user-supplied variable by properly escaping it.

这篇关于PHP:登录后将用户返回到其原始页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！