Welcome Guest, Not a member yet? Register   Sign In
Is there anything wrong with storing the "current_url()" function in a session variable for login return url?
#1

[eluser]dwhite7508[/eluser]
I have my site set up to create a session with the variable "lastPage" set to the "current_url()" function. Any page that has that and gets redirected to the login page sends that information. When the user logs in they are sent back to the $lastPage.

This may not be the BEST way, but it is working for me just fine on my somewhat small and uncomplicated site. Are there any risks to doing it this way as far as security goes?

I've looked into other methods and they just seem SOoooo complicated and heavy code wise.

Thanks in advance for the help.
#2

[eluser]oppenheimer[/eluser]
I don't see any risk as long as controllers check for authorization.

Also, have you tested all the various conditions like:
<ul><li>Failed login attempt</li>
<li>Successful login attempt</li>
<li>User visits several pages then logins</li>
<li>User goes to login page first and then logins</li>
<li>The lastlogin page is changed by the user to a different page</li>
</ul>
#3

[eluser]dwhite7508[/eluser]
All of those work perfectly but I don't understand your last list item... "The lastlogin page is changed by the user to a different page...
#4

[eluser]oppenheimer[/eluser]
Sorry. I should have been more specific. That is testing if the user hacks the session data and changes it. If you store the session data in your database, I think that wouldn't be possible.




Theme © iAndrew 2016 - Forum software by © MyBB