Do not send the url the user was trying to reach as a url variable. This is ugly and error prone. Sites that do this, forget to preserve the url if user enters incorrect username or password or tries to retrieve the password.
After verifying that the user is logged in and before redirecting to log in screen, save the current url as a session variable.
ColdFusion:
<cfset session.fromurl = cgi.script_name & "?" & cgi.query_string />
PHP:
$_SESSION["fromurl"] = $_SERVER["REQUEST_URI"];
After the user has successfully logged in, assign the url to a variable and delete the session variable and then redirect.
ColdFusion:
<cfset variables.fromurl = session.fromurl />
<cfset structdelete(session, "fromurl") />
<cflocation url="#variables.fromurl#" addtoken="no" />
<cfset structdelete(session, "fromurl") />
<cflocation url="#variables.fromurl#" addtoken="no" />
PHP:
if (isset($_SESSION['fromurl'])) {
$url = $_SESSION['fromurl'];
unset($_SESSION['fromurl']);
header('location:'.$url);
}
$url = $_SESSION['fromurl'];
unset($_SESSION['fromurl']);
header('location:'.$url);
}
4 comments: