In an article on preventing PHP form resubmissions, I read the following:
(Not quoting) This could be the page that receives the form data, for example called “form.php”:
<form action="submit.php">
<input type="text" name="user" required />
<input type="password" name="pass" required />
<input type="submit" value="Log in" />
</form>
The page that would process the POST data would therefore be called “submit.php”. If the login went correctly, this code would run:
header('Location: /login/form.php?success=true');
However, couldn’t a user just navigate to the URL above? Also, what is the purpose of the GET variable? Couldn’t I just have a script at form.php that checks if the user is logged in?
At submit.php, should I save the logged in username as $_SESSION[‘username’], and then check if isset() at form.php? Also, since a URL with “success” in it isn’t really pretty, is it economical to redirect the user once again? Should I use PHP header() or Javascript window.location.href? As you see, I’m sort of confused.
Thanks for any help.
Yes, he can. This will not cause anything bad though.
To have some flag that represents the fact that the form has been processed successfully and you need to congratulate user.
Uhm, you can keep your code in the way you like. There is no any strong requirements
If you need to persist it across the current session – yes, do so.
Redirect where. Redirection is pretty cheap thing.
You definitely should do that in php, otherwise you’ll get the troubles you’re trying to avoid following PRG-way.