Return Feature

[Wombat76]

@fpmuser

You can either go with weekendrockstar's module or change the line in dbc.php

Code:

if (RET_TO_VIEWED == 1) $qry="page=".$_SESSION['url'];

Since $_SESSION['url'] is set before the include of dbc.php it will redirect to the current page.

[fpmuser]

That code above gives this in the login url:

.../login.php?page=updategeneralinfo.php

-------------------------------

if (RET_TO_VIEWED == 1) $qry="page=".rawurlencode(stripslashes($_SERVER['REQUEST_URI']));

This code does attempt to pass the correct info

.../login.php?page=%2Fupdategeneralinfo.php%3Fairport_ id%3D20323


The issue is the code on the updategeneralinfo page:

<?php
SESSION_START();
$_SESSION['url'] = "updategeneralinfo.php";
include 'dbc.php';
page_protect();

It redirects to this: $_SESSION['url'] = "updategeneralinfo.php";

[Wombat76]

OK, so let me be clear about the problem. We're working with the original code I posted (i.e. without the if (RET_TO_VIEWED == 1) $qry="page=".$_SESSION['url']; change in dbc.php, since it appears to be constructing the correct URI without this)?

You are navigating to updategeneralinfo.php without logging in, which redirects to login.php because it is page protected.

When you log in it is redirecting you back to updategeneralinfo.php instead of %2Fupdategeneralinfo.php%3Fairport_ id%3D20323, so stripping out the querystring. Is that the case?

[fpmuser]

This is whats in the dbc:
//Make "return to previously viewed page after login" optional
define ("RET_TO_VIEWED",1); // 1 = on, 0 = off

Everything you stated is correct.

I click the link to updategeneralinfo (without being logged in) and it directs me to the login.php page (which has the redirect info in the web address as you designed). After I click login, it redirects to the updategeneralinfo.php page without the info that should have been passed.

Again the key note here is that whatever I change this code to (which is on the updategeneralinfo.php page) it will redirect to that page.
$_SESSION['url'] = "updategeneralinfo.php";
I could tell it to go to google and thats where it will go. So that tells me, for some reason my code is reading that over the code you have written.

[Wombat76]

Can you paste your login script (login.php or equivalent)? That's where the redirection happens back to your previous page, so that's likely to be where the error is. It does sound like the variables are getting mixed up somewhere.

[fpmuser]

Just as a note, when I changed $_SESSION['url'] = to login.php; it sent me to this page: header("Location: controller.php?i=0&id='$id'");

I couldnt quite figure out the significance of that, but thought I would mention it.





$err = array();

foreach($_GET as $key => $value) {
$get[$key] = filter($value); //get variables are filtered.
}
//Get page to return to after login
$retpage="";
if (isset($get['page'])) $retpage=$get['page'];

if(isset($_COOKIE['user_id'])){
$email = $_COOKIE['user_email'];
$user_id = $_COOKIE['user_id'];
$result = mysql_query("SELECT * FROM fpm_users WHERE id='$user_id' AND user_email='$email'");
if(mysql_num_rows($result) > 0){

//If option selected, return to previously viewed page
if (RET_TO_VIEWED == 1 && $retpage != "") {
$pos=strpos($retpage,"?");
if ($pos === false) {
$sep="?";
} else {
$sep="&";
}
header("Location: ".$retpage.$sep."id='$id'");
} else {
header("Location: controller.php?i=0&id='$id'");
}



}
}

if ($_POST['doLogin']=='Login')
{

foreach($_POST as $key => $value) {
$data[$key] = filter($value); // post variables are filtered
}


$user_email = $data['usr_email'];
$pass = $data['pwd'];

$user_cond = "user_email='$user_email'";

$result = mysql_query("SELECT `id`,`pwd`,`user_email`,`approved`,`user_level` FROM fpm_users WHERE
$user_cond
AND `banned` = '0'
") or die (mysql_error());
$num = mysql_num_rows($result);

// Match row found with more than 1 results - the user is authenticated.
if ( $num > 0 ) {

list($id,$pwd,$user_email,$approved,$user_level) = mysql_fetch_row($result);

if(!$approved) {
//$msg = urlencode("Account not activated. Please check your email for activation code");
$err[] = "Check your email for the activation code. Account not activated.";

//header("Location: login.php?msg=$msg");
//exit();
}

//check against salt
if ($pwd === PwdHash($pass,substr($pwd,0,9))) {
if(empty($err)){

// this sets session and logs user in
session_start();
session_regenerate_id (true); //prevent against session fixation attacks.

// this sets variables in the session
$_SESSION['user_id']= $id;
$_SESSION['user_email'] = $user_email;
$_SESSION['user_level'] = $user_level;
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
$user_ip = $_SERVER['REMOTE_ADDR'];

//update the timestamp and key for cookie
$stamp = time();
$ckey = GenKey();
mysql_query("update fpm_users set `ctime`='$stamp', `ckey` = '$ckey' where id='$id'") or die(mysql_error());

$sql_insert = "INSERT INTO `user_login_log`
(`user_id`, `user_ip`, `timestamp`)
VALUES
('$id', '$user_ip', now())";

mysql_query($sql_insert,$link) or die("Insertion Failed:" . mysql_error());

//set a cookie

if(isset($_POST['remember'])){
$time = time()+60*60*24*COOKIE_TIME_OUT;
setcookie("user_id", $_SESSION['user_id'], $time);
setcookie("user_key", sha1($ckey), $time, "/");
setcookie("user_email", $_SESSION['user_email'], $time);
setcookie("pwd",$pass,time()+60*60*24*COOKIE_TIME_ OUT, "/");
}
header("Location: ".$_SESSION['url']);
}
}
else
{
//$msg = urlencode("Invalid Login. Please try again with correct user email and password. ");
$err[] = "Please try again with correct email and password.";
//header("Location: login.php?msg=$msg");
}
} else {
$err[] = "Error - Invalid login. No such user exists";
}
}
// Insert the page header
$page_title = 'Login';
$robots = "noindex";
require_once('header.php');
// Show the navigation menu
require_once('navmenu.php');

[Wombat76]

Quote:

Just as a note, when I changed $_SESSION['url'] = to login.php; it sent me to this page: header("Location: controller.php?i=0&id='$id'");

I couldnt quite figure out the significance of that, but thought I would mention it.

Yes, sorry about that. I forgot to amend that line of code when I originally posted it (see the 2 posts afterwards). The code should be:

PHP Code:

//If option selected, return to previously viewed page
        if (RET_TO_VIEWED == 1 && $retpage != "") {
            header("Location: ".$retpage);
        } else {
          header("Location: myaccount.php");
        } 


The "extended" code is only for use in case you want to pass more parameters in the querystring after the page URI:

PHP Code:

//If option selected, return to previously viewed page
        if (RET_TO_VIEWED == 1 && $retpage != "") {
            $pos=strpos($retpage,"?");
            if ($pos === false) {
                $sep="?";
            } else {
                $sep="&";
            }
            header("Location: ".$retpage.$sep."variable_name='$variable'");
        } else {
          header("Location: myaccount.php");
        } 


Then try changing this line in login.php:

Code:

//Get page to return to after login
$retpage="";
if (isset($_GET['page'])) $retpage=$_GET['page'];

in case it's the filter() function that's removing the querystring.

[fpmuser]

I entered the code you supplied.


The login page url:
../login.php?page=%2Fupdategeneralinfo.php%3Fairport_ id%3D20323

The next page url:
../updategeneralinfo.php

The variables did not get passed through.

Is there something on the update page that I need to be using to grab the variable?

--------------------

On the update page I changed the url page:
<?php
SESSION_START();
$_SESSION['url'] = "login.php";

After clicking login, it redirects back to the login page.

[Wombat76]

What is $_SESSION['url'] used for? The return to previous page function doesn't use that variable, so is something else redirecting the user instead?

Quote:

Is there something on the update page that I need to be using to grab the variable?

No, because that's all done by dbc.php:

PHP Code:

//Add querystring to redirect to prepare to return to this page after login if option selected
    $qry="";
    if (RET_TO_VIEWED == 1) $qry="page=".rawurlencode(stripslashes($_SERVER['REQUEST_URI']));
    header("Location: login.php?".$qry);
    exit(); 


login.php then collects the address of the page to be redirected to after login:

PHP Code:

//Get page to return to after login
$retpage="";
if (isset($get['page'])) $retpage=$get['page']; 


and login.php performs the redirect here:

PHP Code:

//If option selected, return to previously viewed page
        if (RET_TO_VIEWED == 1 && $retpage != "") {
            header("Location: ".$retpage);
        } else {
          header("Location: myaccount.php");
        } 


$retpage will also contain any querystring passed to the page that is to be returned to. $_SESSION['url'] isn't used anywhere in that process, so I suspect it's being used to perform the redirect instead of my script.

[fpmuser]

I removed $_SESSION['url'] on the update.php page. <=== that code was in the original source code for protected pages

Now when I am on the login page:
.../login.php?page=%2Fupdategeneralinfo.php%3Fairport_ id%3D20323

I click login, It sends me here:
.../login.php

Instead of here:
.../updategeneralinfo.php?airport_id=20323


Here is my code:

dbc.php
--------------------------------
//Make "return to previously viewed page after login" optional
define ("RET_TO_VIEWED",1); // 1 = on, 0 = off

function page_protect() {
session_start();

global $db;

if (isset($_SESSION['HTTP_USER_AGENT']))
{
if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
{
logout();
exit;
}
}

if (!isset($_SESSION['user_id']) && !isset($_SESSION['user_email']) )
{
if(isset($_COOKIE['user_id']) && isset($_COOKIE['user_key'])){

$cookie_user_id = filter($_COOKIE['user_id']);
$rs_ctime = mysql_query("select `ckey`,`ctime` from `fpm_users` where `id` ='$cookie_user_id'") or die(mysql_error());
list($ckey,$ctime) = mysql_fetch_row($rs_ctime);
// coookie expiry
if( (time() - $ctime) > 60*60*24*COOKIE_TIME_OUT) {

logout();
}
/* Security check with untrusted cookies - dont trust value stored in cookie.
/* We also do authentication check of the `ckey` stored in cookie matches that stored in database during login*/

if( !empty($ckey) && is_numeric($_COOKIE['user_id']) && isUserID($_COOKIE['user_email']) && $_COOKIE['user_key'] == sha1($ckey) ) {
session_regenerate_id(); //against session fixation attacks.

$_SESSION['user_id'] = $_COOKIE['user_id'];
$_SESSION['user_email'] = $_COOKIE['user_email'];
/* query user level from database instead of storing in cookies */
list($user_level) = mysql_fetch_row(mysql_query("select user_level from fpm_users where id='$_SESSION[user_id]'"));

$_SESSION['user_level'] = $user_level;
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);

} else {
logout();
}

} else {
//Add querystring to redirect to prepare to return to this page after login if option selected
$qry="";
if (RET_TO_VIEWED == 1) $qry="page=".rawurlencode(stripslashes($_SERVER['REQUEST_URI']));
header("Location: login.php?".$qry);
exit();
}
}
}

-------------------
login.php

//Get page to return to after login
$retpage="";
if (isset($_GET['page'])) $retpage=$_GET['page'];


//If option selected, return to previously viewed page
if (RET_TO_VIEWED == 1 && $retpage != "") {
$pos=strpos($retpage,"?");
if ($pos === false) {
$sep="?";
} else {
$sep="&";
}
header("Location: ".$retpage.$sep."id='$id'");
} else {
header("Location: myaccount.php");
}
}
-------------------

[Wombat76]

Well, that looks fine to me, so it's time to find out what the script is doing with its variables. Try adding the red lines to login.php and see what's displayed:

Code:

//Get page to return to after login
$retpage="";
if (isset($_GET['page'])) $retpage=$_GET['page'];
die("RET_TO_VIEWED: ".RET_TO_VIEWED."<br />retpage: ".$retpage);

//If option selected, return to previously viewed page
if (RET_TO_VIEWED == 1 && $retpage != "") {
$pos=strpos($retpage,"?");
if ($pos === false) {
$sep="?";
} else {
$sep="&";
}
header("Location: ".$retpage.$sep."id='$id'");
} else {
header("Location: myaccount.php");
}
}

That should tell us the values of RET_TO_VIEWED and $retpage when you navigate to login.php to see if they are being passed properly.

[fpmuser]

RET_TO_VIEWED: 1
retpage: /updategeneralinfo.php?airport_id=20323

that looks correct to me...

When I put this on the end of my website url, it returns me to this page:
.../login.php?page=%2Fupdategeneralinfo.php%3Fairport_ id%3D20323

[Wombat76]

Quote:

RET_TO_VIEWED: 1
retpage: /updategeneralinfo.php?airport_id=20323

that looks correct to me...

Yes, me too. So, at that point in the script, the "return to previous page" script has done everything correctly.

Quote:

When I put this on the end of my website url, it returns me to this page:
.../login.php?page=%2Fupdategeneralinfo.php%3Fairport_ id%3D20323

Which is also correct. You type in "www.mysite.com/updategeneralinfo.php?airport_id=20323" to your browser, which takes you to the updategeneralinfo.php page, which finds out you're not logged in so you're kicked back to the login.php page with the page URI that you're kicked from as the querystring.

So now let's see what happens just prior to login.php redirecting you back to the previous page. Alter your login.php as follows and see what's displayed now:

Code:

//Get page to return to after login
$retpage="";
if (isset($_GET['page'])) $retpage=$_GET['page'];

//If option selected, return to previously viewed page
if (RET_TO_VIEWED == 1 && $retpage != "") {
$pos=strpos($retpage,"?");
if ($pos === false) {
$sep="?";
} else {
$sep="&";
}
die("RET_TO_VIEWED: ".RET_TO_VIEWED."<br />retpage: ".$retpage);
header("Location: ".$retpage.$sep."id='$id'");
} else {
header("Location: myaccount.php");
}
}

[fpmuser]

I tried in both redirects but it didnt do anything. Sent me back to the login page. Which means its probably not even looking at this code. Its turned on, i double checked.

dbc:
define ("RET_TO_VIEWED",1); // 1 = on, 0 = off

login:
//If option selected, return to previously viewed page
if (RET_TO_VIEWED == 1 && $retpage != "") {
$pos=strpos($retpage,"?");
if ($pos === false) {
$sep="?";
} else {
$sep="&";
}
die("RET_TO_VIEWED: ".RET_TO_VIEWED."<br />retpage: ".$retpage);
header("Location: ".$retpage.$sep."id='$id'");
} else {
die("RET_TO_VIEWED: ".RET_TO_VIEWED."<br />retpage: ".$retpage);
header("Location: myaccount.php");
}
}
}

[Wombat76]

That's what I was saying earlier - something else is redirecting the script before it reaches my code. And I'll lay money that it was using $_SESSION['url'] for the redirect URI.

So is there a header ("Location: $_SESSION['url']"); in login.php before that code you pasted here? Or is there an include in login.php that includes a piece of code that performs that redirect?

[fpmuser]

I figured out why the redirect wasnt showing up; it was inside a a cookie checker:


if(isset($_COOKIE['user_id'])){
$email = $_COOKIE['user_email'];
$user_id = $_COOKIE['user_id'];
$result = mysql_query("SELECT * FROM fpm_users WHERE id='$user_id' AND user_email='$email'");
if(mysql_num_rows($result) > 0){


//If option selected, return to previously viewed page
if (RET_TO_VIEWED == 1 && $retpage != "") {
$pos=strpos($retpage,"?");
if ($pos === false) {
$sep="?";
} else {
$sep="&";
}
header("Location: ".$retpage.$sep."id='$id'");
} else {
header("Location: myaccount.php");
}
}
}


This is the other redirect header:

//set a cookie

if(isset($_POST['remember'])){
$time = time()+60*60*24*COOKIE_TIME_OUT;
setcookie("user_id", $_SESSION['user_id'], $time);
setcookie("user_key", sha1($ckey), $time, "/");
setcookie("user_email", $_SESSION['user_email'], $time);
setcookie("pwd",$pass,time()+60*60*24*COOKIE_TIME_ OUT, "/");
}
header("Location: ".$_SESSION['url']);
}
}
else
{...}

How do I write this so it wont matter whether the cookie is set or not.

When I have "remember me" selected, it took me to myaccount.php.

[Wombat76]

Quote:

How do I write this so it wont matter whether the cookie is set or not.

It's impossible to say without seeing the whole of your login.php script, because you appear to be mixing 2 separate redirect methods. Also, what is outside the Cookie check code? More If conditions? If so, they will also affect the logic flow of the script.

[fpmuser]

Ok I have narrowed down some issues.

There are 2 redirects, one if the remember me is selected, and one with out.

I have put your code in both places.

Now when I login, its taking me to myaccount.php

//If option selected, return to previously viewed page
if (RET_TO_VIEWED == 1 && $retpage != "") {
$pos=strpos($retpage,"?");
if ($pos === false) {
$sep="?";
} else {
$sep="&";
}
header("Location: ".$retpage.$sep."id='$id'");
} else {
header("Location: myaccount.php");
}



I tried this just to see what it would give me:

//If option selected, return to previously viewed page
if (RET_TO_VIEWED == 1 && $retpage != "") {
$pos=strpos($retpage,"?");
if ($pos === false) {
$sep="?";
} else {
$sep="&";
}
header("Location: ".$retpage.$sep."id='$id'");
} else {
header("Location: ".$retpage.$sep."id='$id'");
}
}


.../id='13'

this is my user id number. Im confused by this...

when i do a simple echo this is what $retpae = /updategeneralinfo.php?airport_id=20323
So if retpage is !="", then why is it returning false...

[fpmuser]

$retpage = "/updategeneralinfo.php?airport_id=20323"


--------------------
if (RET_TO_VIEWED == 1 && $retpage != "") {
echo "true";
} else {
echo "false";}
--------------------
false
--------------------

--------------------
if ($retpage != "") {
echo "true";
} else {
echo "false";}
--------------------
false
--------------------

if (!empty($retpage)) {
echo "true";
} else {
echo "false";}
--------------------
false
--------------------


So when I first come to the login page, it says $retpage is true, bc it has a value but then when I click login, that variable is being passed on again, so it returns a false value, bc $retpage is empty.

[Wombat76]

Quote:

Originally Posted by fpmuser

Ok I have narrowed down some issues.

There are 2 redirects, one if the remember me is selected, and one with out.

I have put your code in both places.

Now when I login, its taking me to myaccount.php

//If option selected, return to previously viewed page
if (RET_TO_VIEWED == 1 && $retpage != "") {
$pos=strpos($retpage,"?");
if ($pos === false) {
$sep="?";
} else {
$sep="&";
}
header("Location: ".$retpage.$sep."id='$id'");
} else {
header("Location: myaccount.php");
}



I tried this just to see what it would give me:

//If option selected, return to previously viewed page
if (RET_TO_VIEWED == 1 && $retpage != "") {
$pos=strpos($retpage,"?");
if ($pos === false) {
$sep="?";
} else {
$sep="&";
}
header("Location: ".$retpage.$sep."id='$id'");
} else {
header("Location: ".$retpage.$sep."id='$id'");
}
}


.../id='13'

this is my user id number. Im confused by this...

when i do a simple echo this is what $retpae = /updategeneralinfo.php?airport_id=20323
So if retpage is !="", then why is it returning false...

As I say, it's impossible to sort this out without seeing the whole of login.php. A bit like trying to find the cause of a headache but only being allowed to see the feet!

As for this:

Quote:

header("Location: ".$retpage.$sep."id='$id'");
} else {
header("Location: ".$retpage.$sep."id='$id'");
}
}


.../id='13'

this is my user id number. Im confused by this...

when i do a simple echo this is what $retpae = /updategeneralinfo.php?airport_id=20323
So if retpage is !="", then why is it returning false...

Think how the URI of the page to return to is being constructed. If you are being redirected to www.mydomain.com?id='13', it's because $retpage IS blank. URI = $retpage + $sep + "id='id'" which = "" + "?" + "id='13'". Now WHY $retpage is empty is impossible to say without seeing the whole code.