Header('location: ' . $_SERVER['PHP_SELF']) causes refresh?

sbob · June 17, 2005, 6:35pm

I’m using the method described here to avoid the POST data resubmit problem. Basically I have my script check to see if there is POST data in an incoming request, and if there is it takes that data and stores it in $_SESSION, then redirects the user to the same page by using header('location: ’ . $_SERVER[‘PHP_SELF’]).

The problem is that this causes the page to refresh instead of loading the page as a new spot in history in firefox and IE. This is probably intentional and it makes sense, but it creates a problem for my script:

Say you come from an external site to index.php. This page generates a login form if you aren’t logged in. When you submit the form, the post data is converted to session data and you are redirected to the same page again. This way you will never resubmit post data by refreshing the page or accessing it again via the back anf forward buttons. If you enter in the wrong credentials, I have the same page generate an error message. Now if you try to click your browser’s back button to go back to the login form when looking at that error message, you are instead taken all the way back to the external site you came in from. That’s because the page was only refreshed when you submitted the form. This happens in firefox and IE, but not in opera.

So I guess my question is this: Is there a way to redirect someone to the same page (PHP_SELF) and force them to open that page as a new page in the browser’s history?

I can’t really show you an online example, as my script won’t work since I don’t have my online database setup yet, but here is the abbreviated code:

<?php
       session_start();
       
       if (!empty($_POST)) {
       	foreach($_POST as $vn => $v) {
      		if ($vn == 'user' or $vn == 'pwd') {
      			$v = trim($v);
      			$_SESSION[$vn] = substr($v, 0, 25);
      		}
      	}
      	header('Location: ' . $_SESSION['PHP_SELF']);
       	die();
       }
 ?><!DOCTYPE html PUBLIC &quot;-//W3C//DTD XHTML 1.0 Strict//EN&quot; &quot;http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd&quot;>
  <html xmlns=&quot;http://www.w3.org/1999/xhtml&quot; lang=&quot;en&quot; xml:lang=&quot;en&quot;>
     <head>
     	<title>Hello</title>
 	<meta http-equiv=&quot;Content-Type&quot; content=&quot;text/html; charset=ISO-8859-1&quot; />
     </head>
     <body>
     
     <?php
       connect_to_db();
       
     $user = $_SESSION['user'];
     $pwd = $_SESSION['pwd'];
     
     if(!isset($user) or !isset($pwd)) {
     	build_login();
     	build_footer();
     	die();
     } else {
     	$term1 = quote_smart($user);
     	$term2 = quote_smart($pwd);
     	$query = &quot;select * from users where username=$term1 and password=$term2&quot;;
     	$result = @mysql_query($query);
     	if (!$result) {
 		build_error('A database error has occurred. Unable to process user authorization query.');
     		build_footer();
     		die();
     	}
     	
     	if (mysql_num_rows($result) == 0) {
     		unset($_SESSION['user']);
     		unset($_SESSION['pwd']);
 		build_error('Username or password incorrect. Please go back and try again.');
     		build_footer();
     		die();
     	}
     }
    ?>
       
     <p>Super Secret Content!</p>
    
   <?php
    build_footer();
    ?>

     Thanks in advance =)

Ruben_K · June 17, 2005, 6:37pm

You could try to add a _GET parameter like ‘?login=true’. I am not sure if this will work.

skeeterbug · June 17, 2005, 8:27pm

you could also make the login page the page after the index.php page. another option is to put a link back to the login page that can’t be missed. the vast majority of folks will use the link vs the back button. you could also put a little text warning that the back button won’t take you to the login page.

medicjoe95 · June 17, 2005, 8:37pm

You could also use <meta> tags, pure HTML =]