When a user tries to access our website via a link (for instance going to www.website.com/privatepage) they are redirected to a login page. Once they login, we want to redirect them to that intended URL - how do you do this?
当用户尝试通过链接访问我们的网站时(例如访问www.website.com/privatepage),他们会被重定向到登录页面。一旦他们登录,我们希望将他们重定向到预期的URL - 你是如何做到这一点的?
Also we have a use case where a user logs in from the homepage, or goes directly to the login page with no intended URL - in this case we'd like to redirect them to a default page.
我们还有一个用例,用户从主页登录,或者直接进入没有预期URL的登录页面 - 在这种情况下,我们想将它们重定向到默认页面。
Can anyone help me figure this out?
任何人都可以帮我解决这个问题吗?
4 个解决方案
#1
6
in your login page:
在您的登录页面中:
if you go to www.example.com/private_page
如果你去www.example.com/private_page
using CodeIgniter (on private page)
使用CodeIgniter(在私人页面上)
// if user is not logged in...
$_SESSION['redirect'] = $this->uri->segment(1);
redirect('login');
on login page
在登录页面上
// successfully logged in..
if (isset($_SESSION['redirect'])) {
redirect($_SESSION['redirect']);
} else {
// redirect to default page
}
#2
5
It might be a good idea to have a whitelist of accepted urls when redirecting in this fashion - otherwise, an attacker could send someone a link like example.com/login?attacker.com/fake_examplecom and the user will be redirected to the attacker's site while thinking they have just logged in to your site. The original url pointed to your site, so it looks trustworthy. There's a lot of nasty things that can be done with this, as you can imagine.
以这种方式重定向时,拥有接受网址的白名单可能是一个好主意 - 否则,攻击者可能会向某人发送一个像example.com/login?attacker.com/fake_examplecom这样的链接,用户将被重定向到攻击者的网站虽然他们认为他们刚刚登录到您的网站。原始网址指向您的网站,因此它看起来值得信赖。正如你所想象的那样,有很多令人讨厌的事情可以做到这一点。
#3
4
How are they redirected to the login page? Whichever method with which you do that, you can append a GET variable on the end of the login page URL, and then reference that variable on the login page.
他们如何重定向到登录页面?无论您使用哪种方法,都可以在登录页面URL的末尾附加GET变量,然后在登录页面上引用该变量。
So, user wants to access www.example.com/privatepage, but you need them to login at www.example.com/login first. Redirect them to www.example.com/login?targetpage=/privatepage, then in the code for your login page, you can access the targetpage variable.
因此,用户想要访问www.example.com/privatepage,但您需要先登录www.example.com/login。将它们重定向到www.example.com/login?targetpage=/privatepage,然后在登录页面的代码中,您可以访问targetpage变量。
#4
3
I usually store the page in a PHP session before I redirect to the login page. After logging in, see if the session value is set, if it is then redirect back to that page.
在重定向到登录页面之前,我通常将页面存储在PHP会话中。登录后,查看是否设置了会话值,如果是,则重定向回该页面。
#1
6
in your login page:
在您的登录页面中:
if you go to www.example.com/private_page
如果你去www.example.com/private_page
using CodeIgniter (on private page)
使用CodeIgniter(在私人页面上)
// if user is not logged in...
$_SESSION['redirect'] = $this->uri->segment(1);
redirect('login');
on login page
在登录页面上
// successfully logged in..
if (isset($_SESSION['redirect'])) {
redirect($_SESSION['redirect']);
} else {
// redirect to default page
}
#2
5
It might be a good idea to have a whitelist of accepted urls when redirecting in this fashion - otherwise, an attacker could send someone a link like example.com/login?attacker.com/fake_examplecom and the user will be redirected to the attacker's site while thinking they have just logged in to your site. The original url pointed to your site, so it looks trustworthy. There's a lot of nasty things that can be done with this, as you can imagine.
以这种方式重定向时,拥有接受网址的白名单可能是一个好主意 - 否则,攻击者可能会向某人发送一个像example.com/login?attacker.com/fake_examplecom这样的链接,用户将被重定向到攻击者的网站虽然他们认为他们刚刚登录到您的网站。原始网址指向您的网站,因此它看起来值得信赖。正如你所想象的那样,有很多令人讨厌的事情可以做到这一点。
#3
4
How are they redirected to the login page? Whichever method with which you do that, you can append a GET variable on the end of the login page URL, and then reference that variable on the login page.
他们如何重定向到登录页面?无论您使用哪种方法,都可以在登录页面URL的末尾附加GET变量,然后在登录页面上引用该变量。
So, user wants to access www.example.com/privatepage, but you need them to login at www.example.com/login first. Redirect them to www.example.com/login?targetpage=/privatepage, then in the code for your login page, you can access the targetpage variable.
因此,用户想要访问www.example.com/privatepage,但您需要先登录www.example.com/login。将它们重定向到www.example.com/login?targetpage=/privatepage,然后在登录页面的代码中,您可以访问targetpage变量。
#4
3
I usually store the page in a PHP session before I redirect to the login page. After logging in, see if the session value is set, if it is then redirect back to that page.
在重定向到登录页面之前,我通常将页面存储在PHP会话中。登录后,查看是否设置了会话值,如果是,则重定向回该页面。