Home/ Questions/Q 4586230
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-21T21:36:35+00:00

I have a problem similar to this one , but slightly different. I have

  • 0

I have a problem similar to this one, but slightly different.

I have it structured like this:
The page the user wants to go to is something like displayData.php. This is the page they should end up back on. This page checks to see if you are logged in and the session isn’t expired like so:

if ($_SESSION["loggedIn"] != "YES")
{
  header ("Location: ".$baseURL."timeout.php");
  exit();
}

On timeout.php, I check the referrer:

<?php
session_start();
$_SESSION['redirect'] = $_SERVER['HTTP_REFERER'];
$_SESSION["errorMessage"] = "Your session has timed out or<br>you have not logged in correctly.";
header ("Location: index.php");
exit();
?>

The problem arises after the user submits the login form and the login page check to see if there is a referrer. We already determined they have the correct login information, however.

if(isset($_SESSION['redirect'])){
    header ("Location: ".$_SESSION['redirect']);
}else{
    header ("Location: menu.php");
}

I would think that logically, when the timeout page sets the variable with $_SERVER['HTTP_REFERER'];, it would set it to the page that redirected to timeout.php, in this case displayData.php. However it seems that instead, it sets it to the referrer of displayData.php (which could be anything, but it is not what we want to send the user to).

Is this the intended effect of HTTP_REFERER, to not update if there was a header redirect? If so, that sucks and i need to rewrite about 80 files to change the login/timeout system. I hope there would be an easier way. We would have done this in a function based system, but we are currently trying to extend legacy code.

Thanks much.

Edit:

To be slightly more clear here.
Think of it in a folder, /admin/. displayData.php is one of many files that can be accessed only by logging in (So we don’t know what specific page they were trying to access when it detected they weren’t logged in). Every one of these pages redirects to timeout.php when the session expires (or if there wasn’t a session at all), therefor I want timeout.php to be able to determine the page that was previously accessed without a session, and then save that information so it can be used later to redirect the user back to the original page they requested on our site.

The reason I want to do it through the timeout.php file is because there are many files just like displayData.php, and I don’t want to edit every single one of them to improve the system if i don’t have to, for the time being.

If this still isn’t clear enough, let me know.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    HTTP_REFERER is intended to be purely informational and is set by the browser not the server. This means that it can be blank or something else entirely. It can also be manipulated by the user. It’s best not to rely on it if possible.

    Why not just set $_SESSION['redirect'] when you’re actually on a page before it redirects to the session check script? For that matter why redirect at all? You could include the timeout.php almost unmodified in the script and use the $_SERVER['PHP_SELF'] variable to determine what $_SESSION['redirect'] should be set to.

    • 0