Hello Guys,
after login i want user to redirect on index.php so there is two command to redirect so which should be i use and why? please share your review.
RedirectToURL(“index.php”); and second is "header(location:index.php);
which one should i use for redirection.
I avoid redirection by making the page a big if-else clause:
if($user = 'logged in') {
include real page;
} else {
include log in page;
}
header("Location: http://mysite.example.com/index.php", true, 303);
This is a redirect with a See Other 303 HTTP Status Code, which is the most suitable redirect type after a user logs in (=submits a form using POST method). Traditionally, absolute URL is required but in practice relative URLs work everywhere and the plans are to standardize them as well.
If you are not doing an actual redirect then there are some usability issues with this method:
-
When the user is on the subsequent page after logging in the URL does not represent the target page but the logging page accessed by POST so if someone chooses to refresh the page for any reason they get some weird alert from their browser asking them if they want to resend the data. If they proceed they will go through the logging script again.
-
When the user on the subsequent page bookmarks the page or sends the link to someone it will not be valid because it’s not the actual URL of the page they are looking at.
These can only create confusion. I used to use an administration panel where redirects were avoided in a similar way and it literally drove me nuts whenever I needed to refresh the page to update it with changed data.
Not the way I do it. The visitor is always on the page he goes to. If he goes to a log in page he can log in and he remains on the log in page where he can use the menus to go elsewhere. If he goes to a working page and is logged in, he gets the working page. If not logged in, he gets the log in dialog and once logged in properly he is on the working page he went to originally. He is never on a page he didn’t go to. Granted, search engines never get to restricted pages, they always get the log in version but the way to avoid that is by excluding robots.
Yes, if the visitor “chooses to refresh the page for any reason they get some weird alert from their browser asking them if they want to resend the data.”
If they proceed they will go through the logging script again.
No, they don’t! The _SESSIONS variable has been updated. Since they are now logged in they get the working page they are on (any changes made to the page are lost, it’s the equivalent of a reset).
With very few exceptions, the action on all my forms is $_SERVER[‘PHP_SELF’] so the user stays put unless he choses to go elsewhere. It’s possible your administration panel was not properly integrated with the rest of the code.
What I meant was not the internal workings of your php code but the fact that the user sees the strange question asking him if he wants to resend the data. Even if you handle it well with the use of sessions I consider it bad usability to have to answer such questions when the fact is the user has already sent his login data and should not be bothered about resending it if he’s already logged in.
Also what I mean is that if a page has a URL then this URL should represent the content of this page so that the address can be bookmarked, copied, etc. The only valid exception is when the user is in a sequence of several pages with form submission where one form depends on the previous one so you have a series of POST requests. There can be also some other more exotic cases where it would be acceptable to have URL not pointing to a specific content but I’m talking about most common use cases.
From your explanation I didn’t fully understand if the above criteria are met by your system or not. If you meant that after logging in the user is not yet on any meaningful content page then I might agree this would be somewhat okay. But if the page might be of interest to him and would like to bookmark it then I believe he should have already landed there with the proper URL that points to this specific page.
If the user does, in fact, refresh the page he would get a “strange question asking him if he wants to resend the data.” But would the user really refresh the page right after he got a fresh working page after logging in? If refreshing the page were the common occurrence it would make sense to worry about “usability.” I don’t believe it’s an issue with my code. At least, it’s been running for ten years in various websites and I have never had complaints.
Also what I mean is that if a page has a URL then this URL should represent the content of this page so that the address can be bookmarked, copied, etc. The only valid exception is when the user is in a sequence of several pages with form submission where one form depends on the previous one so you have a series of POST requests. There can be also some other more exotic cases where it would be acceptable to have URL not pointing to a specific content but I’m talking about most common use cases.
All my pages can be bookmarked, copied, etc. The user should never wind up in unexpected places. If he bookmarks a password protected input form, for example, he should be taken to that input form whether he is or not logged in. But if he is not logged in then he has a hurdle, the log in process right there, he is not told to go elsewhere to log in and then come back nor is he automatically redirected to a log in page (which might or might not know where he is coming from to send him back once properly logged in). In reality, it’s no different from a popup alert asking for the username and password.
From your explanation I didn’t fully understand if the above criteria are met by your system or not. If you meant that after logging in the user is not yet on any meaningful content page then I might agree this would be somewhat okay. But if the page might be of interest to him and would like to bookmark it then I believe he should have already landed there with the proper URL that points to this specific page.
Here are two URLs that illustrate the system. In each case the user remains where he went to since there is no redirection:
1.- Login page (My Account)
2.- Working page (My Files)
Sorry, I can’t give you access but here is what the My Files page look like after logging in.
This is the closest I know how to create modeless access to password protected pages without popup windows or alerts. The need for logging-in creates the need for the log-in mode but it happens in situ, not elsewhere.
PS: with HTML5 it might be possible to display the login dialog on top of an image of the destination page for better feedback.
Thanks, now I see that you have the login form embedded in each page and the form itself does not change the url so bookmarking is possible.
I can understand that because having the alert on page refresh is not a major issue and usually not something to complain about. Most probably I was an exception when I was using that admin panel I was talking about earlier - I opened several browser windows with the panel to organize my work so I needed to push refresh quite often. I know most people just stay in one browser window and don’t try anything fancy. Still, I’m trying to provide best experience to users so if I had a system structured like yours I’d simply do a redirect to the same URL instead of the include just to enable hassle-free refreshes.