-2

I'm trying to pass $user_domain to login.php. I get the value from first_page.php from header();. In returning_user.php I set a variable $_SESSION['returning_user'] to let my program know what to do in login.php. If everything goes well, the user stays on login.php. If something goes wrong, the user is redirected to first_page.php and must resubmit form. The problem I'm facing right now is that the user is being returned to first_page.php when I include returning_user.php inside login.php. When I remove it, the user stays on login.php but it seems the code between the if() statement is not being executed. I don't know what I'm doing wrong. Any help would be greatly appreciated.

first_page.php

//rest of code above
if($stmt){
header("Location: returning_user.php?domain=".$domain."&key=".$key."");
exit;
}

returning_user.php

session_start();
if(isset($_GET['key'])  && isset($_GET['domain']) ){

//get domain variable
$user_domain = $_GET['domain'];

//put key variable in session
$_SESSION['user_domain'] = $user_domain;

//create a returning_user session
$_SESSION['returning_user']="TRUE";

//direct user to login page
header("location:../login.php");
exit;

}else{
 header("location : first_page.php");
 exit;
   }

login.php

 session_start();
 include 'returning_user.php';

    if(isset($_SESSION['returning_user']) && $_SESSION['returning_user']=="TRUE"){
    //do something amazing here
}

var_dump($_GET)

array(2) { ["domain"]=> string(10) "mydomain" ["key"]=> string(7) "7024158" }
Balloon Fight
  • 661
  • 8
  • 16
  • 2
    So what does `var_dump($_GET)` tell you? – MatsLindh Oct 22 '17 at 21:58
  • 1
    My opinion is, that the values of the `$domain`and `$key` are the problem. So, as @MatsLindh kindly asked, you should provide us an output of the `$_GET` array. If you ignore our comments, then how do you expect from us to help you? –  Oct 22 '17 at 22:13
  • 1
    Sorry, but I don't buy the accepted answer. What's the value of both GET arrays/variables? I see `$domain` and `$user_domain` and to me, this tells me of something not being defined correctly. I've tested your code with sample values and it didn't fail. – Funk Forty Niner Oct 22 '17 at 22:54
  • @Fred-ii-: After testing the code, you are right the problem is not in returning.php but in login.php – Balloon Fight Oct 22 '17 at 23:19
  • @MatsLindh : I did a `var_dump($_GET)` in `returning_user.php` and I got `array(2) { ["domain"]=> string(10) "mydomain" ["key"]=> string(7) "7024158" } ` so it's not empty – Balloon Fight Oct 22 '17 at 23:26
  • @aendeerei: I have updated the post – Balloon Fight Oct 22 '17 at 23:32
  • 1
    `include(returning_user.php);` if that's the actual syntax, it's erroring out and would have most likely thrown an undefined constant notice. It needs to be wrapped in quotes `include('returning_user.php');` and the session should be started if it wasn't and inside all pages using sessions. Use error reporting http://php.net/manual/en/function.error-reporting.php to see if it does return an error. `exit;` should also be used after header, otherwise your code may want to continue to execute. – Funk Forty Niner Oct 22 '17 at 23:44
  • @Fred-ii-: Thanks. I just updated everything here and I've performed tests in my program. I'm using error reporting but nothing gets reported. The `login.php` is really the problem it executes the else statement in `returning_user.php` and sends me back to `first_page.php`. If I change `login.php` to `somerandom.php` and do not `include('returning_user.php');` I get redirected there with the variables without problems. If I remove the file in `login.php` it executes but I need the file to protect `login.php`. I dont know what im doing wrong here. – Balloon Fight Oct 23 '17 at 00:23
  • @BalloonFight Use error reporting like this: `error_reporting(E_ALL); ini_set('display_errors', 1);`. –  Oct 23 '17 at 01:29
  • @BalloonFight Since the problem seems to persist and there are more files involved, then it would be better to present whole codes and to describe the workflow better. For this reedit your question and append the new things. –  Oct 23 '17 at 01:35
  • @aendeerei: Thanks. Ive updated everything. Ill be running more tests. – Balloon Fight Oct 23 '17 at 04:49
  • `returning_user.php` redirects and exits on all code branches. The code after `include 'returning_user.php';` never runs; it doesn't have any chance to do anything amazing. – axiac Oct 23 '17 at 05:39
  • @axiac: I guess you're the one who downvoted me. I've been programming for up to 12 hours today dude. So at this point my brain is pure mash. You mean to remove exit? Can you provide something please? Thanks. – Balloon Fight Oct 23 '17 at 06:42
  • @BalloonFight I was unclear. My appology for that. I meant you to give the general workflow of the app (regarding the 3 files), not to describe the code steps which you implemented - since we already understand them. Anyway, I provided an alternative solution. If it helps you then I'm glad. If not, well, we try further ;-) –  Oct 24 '17 at 06:12

4 Answers4

1

If domain contains a ?, it breaks the &key variable.

You should change your first_page.php to

if($stmt){
    header("Location: returning_user.php?domain=". urlencode($domain)."&key=".$key."");
}
Jordi Kroon
  • 2,607
  • 3
  • 31
  • 55
1

BEFORE:

Your code have a problem, which I'll try to explain:

  • You, the user, are on the first_page.php.
  • From there you are redirected to returning_user.php. The GET values ("domain" and "key") are passed too.
  • returning_user.php reads the GET values (which are now SET), writes them to session and redirects you to login.php (WITHOUT passing the GET values too). Note: Technically you are passing two GET values to a page (returning_user.php) in order to save them there in session. This step is in my opinion not needed; you could have saved them in session directly in the first_page.php.
  • In login.php the page returning_user.php is included. It tries to read the GET values again. But, because the GET values are NOT ANYMORE SET, you are redirected to first_page.php.

Another problem is the one described by @MatsLindh.

AFTER:

So I gave some thoughts about what you want to achieve, and I came with the following solution:

  • You, the user, are on the first_page.php.
  • You complete a form and submit it.
  • Upon submit, the values "domain", "key" and "returning_user" are written into session.
  • Then you are redirected to login.php.
  • In login.php a file named protector.php is included. protector.php checks if the session values "domain" and "key" are set. If not, a redirect to first_page.php takes place.
  • If the validation of the session variables in protector.php is successful, then the further codes in login.php can be processed. Like: read the session variable "returning_user" and do something amazing there :-)

Notes:

  • You can see protector.php as replacer for your returning_user.php.
  • You can include protector.php in all pages which need to be "protected".
  • I would have renamed first_page.php to dashboard.php.
  • In first_page.php I implemented a form, in order to be able to display something on screen in case of a redirect from another page to first_page.php and to start the redirect to login.php upon clicking on a button, e.g. upon form submission.

Good luck!

first_page.php

<?php
session_start();

// Operations upon form submit.
if (isset($_POST['submitButton'])) {
    $stmt = TRUE;
    $domain = 'mydomain';
    $key = '7024158';

    if ($stmt) {
        $_SESSION['domain'] = $domain;
        $_SESSION['key'] = $key;
        $_SESSION['returning_user'] = 1; // Don't use 'TRUE'.

        header('Location: login.php');
        exit;
    }
}
?>
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />

        <title>Demo</title>

        <style type="text/css">
            .header, .section { padding: 10px; }
            .header { border-bottom: 1px solid #ccc; background-color: #eee; }
            .section div { padding-bottom: 10px; }
            .section button { padding: 10px; color: #fff; border: none; width: 200px; background-color: #269abc; }
        </style>
    </head>
    <body>

        <header class="header">
            <h3>
                Welcome! You are on the first page ;-)
            </h3>
        </header>

        <section class="section">
            <form action="" method="post">
                <div>
                    Here comes some form content...
                </div>
                <button type="submit" name="submitButton">
                    Submit
                </button>
            </form>
        </section>

    </body>
</html>

protector.php

<?php

session_start();

// Check domain and key.
if (!isset($_SESSION['domain']) || !isset($_SESSION['key'])) {
    header('Location: first_page.php');
    exit;
}

login.php

<?php

require_once 'protector.php';

echo 'Page validation successful.';
echo '<br/><br/>';

if (isset($_SESSION['returning_user']) && $_SESSION['returning_user']) {
    echo 'I will do something amazing here...';
}
0

When you do include 'returning_user.php'; in login.php, the code in returning_user.php runs. If you follow that code path from the top, you can see that regardless of the contents of the any parameters, the end result is a redirect - either to login.php a directory down (.. these paths seem weird, as that means that the login.php you've added is not the same login.php as you're redirecting the user to) or to first_user.php.

I'm not sure you actually wanted to do include 'returning_user.php'; - it seems you've based everything else on that page setting up a session and then redirecting the user to the destination, instead of having the file being included (and when it's being included like that, you're importing the variables into the current scope - no need for a session for something like that).

MatsLindh
  • 49,529
  • 4
  • 53
  • 84
  • It works when I remove the `returning_user.php` from `login.php`. But just like you've figured out, I'm trying to use `returning_user.php` like we use a `session.php` to protect pages from being accessible from the browser. If I remove `returning_user.php`, the workflow works but `login.php` is no longer protected. Maybe I'm not understanding how to do this right. – Balloon Fight Oct 23 '17 at 23:01
0

I see your frustration. For a start, you DO need to remove returning_user.php from Login.

Then, replace your code with this in login, with this:

session_start();

if(isset($_SESSION['returning_user'] == "TRUE")){
echo "Success!";
}

Also (and this is generally an unpopular opinion), to avoid using headers, which can cause other problems elsewhere, I much prefer to end my PHP tag, and place the following Javascript

 <script>location.replace("whatever.php");</script>

And then pick my PHP tag up immediately after.

cmprogram
  • 1,854
  • 2
  • 13
  • 25