The ?from= field the the Auth.php class generates is a "nive to have" feature - if someone is surfing your site, then has a break for a while, leaving their browser open, during which time their session times out, when they return they will be required to login again but the from value can help take them back to the page they were viewing.
As Kev points out, the from value is populated from $_SERVER['REQUEST_URI'] may not be available if you're using IIS or the CGI version of PHP. You can check where you have with the following;
PHP Code:
echo php_sapi_name()
When it comes to the login system, the form in 4.php has the following at the start;
PHP Code:
// If $_GET['form'] comes from the Auth class
if ( isset ( $_GET['from'] ) ) {
$target=$_GET['from'];
} else {
// Default URL: usually index.php
$target='5.php';
}
That could be a little smarter in checking the value of $_GET['form'] - right now if $_GET['form'] is empty, it will still be assigned to the $target variable, which is used to specify where the form should submit it's values to - in other words it will result in the form posting to itself (hence you never get back to the secured page).
The following is a quick fix;
PHP Code:
<?php
// If $_GET['form'] comes from the Auth class
if ( isset ( $_GET['from'] ) && !empty ( $_GET['from'] ) ) {
$target=$_GET['from'];
} else {
// Default URL: usually index.php
$target='5.php';
}
?>
That now checks $_GET['from'] has a value. A more careful check might be to determine whether the file specified in the from field actually exists.