Scribd
Upload
24 views

PHP 08 POST Redirect Authn

The document discusses redirecting, routing, and authentication using sessions in web applications. It provides examples of using the HTTP Location header and POST-Redirect-GET pattern to redirect browsers. It also demonstrates storing user data and authentication information in server-side sessions to implement login and logout functionality. Code examples are given for a guessing game application that uses sessions to persist game state across page requests.

Uploaded by

akbomb
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
24 views

PHP 08 POST Redirect Authn

The document discusses redirecting, routing, and authentication using sessions in web applications. It provides examples of using the HTTP Location header and POST-Redirect-GET pattern to redirect browsers. It also demonstrates storing user data and authentication information in server-side sessions to implement login and logout functionality. Code examples are given for a guessing game application that uses sessions to persist game state across page requests.

Uploaded by

akbomb
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 45

Redirect, Routing, and

Authentication
Dr. Charles Severance
www.wa4e.com

http://www.wa4e.com/code/route.zip
Time Browser Web Server Database Server
D
O Send MySql
M Request Apache
Parse
Response
PHP
sessfun
JavaScrip .php P
t D
O

RRC/HTTP SQL
HTTP Status Codes
• http://www.dr-chuck.com/page1.htm - 200 OK
• http://www.wa4e.com/nowhere.htm - 404 Not Found
• http://www.drchuck.com/ - 302 Found / Moved
Also known as “redirect”

https://en.wikipedia.org/wiki/List_of_HTTP_status_codes
HTTP Location Header
• If your application has not yet sent any data, it can send a
special header as part of the HTTP Response.
• The redirect header includes a URL that the browser is
supposed to forward itself to.
• It was originally used for web sites that moved from one URL
to another.

http://en.wikipedia.org/wiki/URL_redirection
<= Error

http://php.net/manual/en/function.header.php
<?php http://www.wa4e.com/code/route/redir1.php
session_start();
if ( isset($_POST['where']) ) {
if ( $_POST['where'] == '1' ) {
header("Location: redir1.php");
return;
} else if ( $_POST['where'] == '2' ) {
header("Location: redir2.php?parm=123");
return;
} else {
header("Location: http://www.dr-chuck.com");
return;
}
}
?>
<html>
<body style="font-family: sans-serif;">
<p>I am Router Two...</p>
<form method="post">
<p><label for="inp9">Where to go? (1-3)</label>
<input type="text" name="where" id="inp9" size="5"></p>
<input type="submit"/></form>
</body>
After we entered "2"
and pressed "Submit"

Two pages were retrieved


Second page
POST / Redirect / GET
POST / Refresh / 
• Once you do a POST, if you refresh, the browser will re-send
the POST data a second time.
• The user gets a pop-up that tries to explain what is about to
happen.
Press Submit
then Refresh

guess.php
No Double Posts
• Typically POST requests are adding or modifying data whilst
GET requests view data
• It may be dangerous to do the same POST twice (say
withdrawing funds from a bank account)
• So the browser insists on asking the user (out of your control)
• Kind of an ugly UX / bad usability
POST Redirect Rule
• The simple rule for pages intended
for a browser is to never generate a
page with HTML content when the
app receives POST data
• Must redirect somewhere - even to
the same script - forcing the browser
to make a GET after the POST
https://en.wikipedia.org/wiki/Post/Redirect/Get
<?php
$guess = '';
$message = false;
(Review)
if ( isset($_POST['guess']) ) {
// Trick for integer / numeric parameters
$guess = $_POST['guess'] + 0;
if ( $guess == 42 ) {
$message = "Great job!";
} else if ( $guess < 42 ) {
$message = "Too low";
} else {
$message = "Too high...";
}
}
?>
<html>
<head>
<title>A Guessing game</title>
</head>
<body style="font-family: sans-serif;">
<p>Guessing game...</p>
<?php
if ( $message !== false ) {
echo("<p>$message</p>\n");
}
?>
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess" size="40"
<?php echo 'value="' . htmlentities($guess) . '"';
?>
/></p>
<input type="submit"/>
</form>
</body> http://www.wa4e.com/code/sessions/guess.php
<?php
$guess = '';
$message = false; <?php (Review)
if ( isset($_POST['guess']) ) {
$guess = '';
// Trick for integer / numeric parameters
$guess = $_POST['guess'] + 0;
if ( $guess == 42 ) {
$message = "Great job!";
$message = false;
} else if ( $guess < 42 ) {
$message = "Too low";
if ( isset($_POST['guess']) ) {
} else {
$message = "Too high...";
// Nifty trick
}
}
$guess = $_POST['guess'] + 0;
?>
<html> if ( $guess == 42 ) {
<head>
<title>A Guessing game</title> $message = "Great job!";
</head>
<body style="font-family: sans-serif;">} else if ( $guess < 42 ) {
<p>Guessing game...</p>
<?php
if ( $message !== false ) {
$message = "Too low";
}
echo("<p>$message</p>\n"); } else {
?>
<form method="post">
$message = "Too high...";
}
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess" size="40"

}
<?php echo 'value="' . htmlentities($guess) . '"';
?>
/></p>
<input type="submit"/> ?>
</form>
</body> <html> ...
<?php
$guess = '';
$message = false; ...
if ( isset($_POST['guess']) ) {
?>
// Trick for integer / numeric parameters (Review)
$guess = $_POST['guess'] + 0; <html>
if ( $guess == 42 ) {
$message = "Great job!";
<head>
} else if ( $guess < 42 ) { <title>A Guessing game</title>
$message = "Too low";
} else {
</head>
$message = "Too high..."; <body style="font-family: sans-serif;">
}
}
<p>Guessing game...</p>
?> <?php if ( $message !== false ) {
<html>
<head>
echo("<p>$message</p>\n");
<title>A Guessing game</title> }
</head>
<body style="font-family: sans-serif;">
?>
<p>Guessing game...</p> <form method="post">
<?php
if ( $message !== false ) {
<p><label for="guess">Input Guess</label>
echo("<p>$message</p>\n"); <input type="text" name="guess" id="guess" size="40" <?php echo 'value="' . htmlentities($guess) .
}
?>
'"';
<form method="post"> ?>
<p><label for="guess">Input Guess</label>
/></p>
<input type="text" name="guess" id="guess" size="40"
<?php echo 'value="' . htmlentities($guess)<input
. '"'; type="submit"/>
?>
/></p>
</form>
<input type="submit"/> </body>
</form>
</body>
<?php (Improved)
session_start();
if ( isset($_POST['guess']) ) {
$guess = $_POST['guess'] + 0;
$_SESSION['guess'] = $guess;
if ( $guess == 42 ) {
$_SESSION['message'] = "Great job!";
} else if ( $guess < 42 ) {
$_SESSION['message'] = "Too low";
} else {
$_SESSION['message'] = "Too high...";
}
header("Location: guess2.php");
return;
}
?>
<html>
http://www.wa4e.com/code/sessions/guess2.php
<html>
<head>
<title>A Guessing game</title>
</head>
<body style="font-family: sans-serif;">
<?php
$guess = isset($_SESSION['guess']) ? $_SESSION['guess'] : '';
$message = isset($_SESSION['message']) ? $_SESSION['message'] : false;
?>
<p>Guessing game...</p>
<?php
if ( $message !== false ) {
echo("<p>$message</p>\n");
}
?>
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess" size="40"
<?php echo 'value="' . htmlentities($guess) . '"';?>
/></p>
<input type="submit"/>
</form>
</body> guess2.php
Enter "41" and press
"Submit"
Press "Refresh"
Time Browser Web Server Database Server
D Sessions: 42 6f 3e

O Send MySql
M Request Apache
Parse
Response
PHP
sessfu P
JavaScrip n.php D
t
O

RRC/HTTP SQL
Login and Logout Using Session
Session / Authentication
• Having a session is not the same as being logged in.

• Generally you have a session the instant you connect to a web site.

• The Session ID cookie is set when the first page is delivered.

• Login puts user information in the session (stored in the server).

• Logout removes user information from the session.


Time Browser Web Server Database Server
D Sessions: 42 6f 3e

O Send MySql
M Request Apache
Parse
Response
PHP
sessfu P
JavaScrip n.php D
t
O

RRC/HTTP SQL
Simple application with login,
logout, and flash using session

http://www.wa4e.com/code/route/app.php
http://www.wa4e.com/code/route.zip
<body style="font-family: sans-serif;"> login.php
<h1>Please Log In</h1>
<?php
if ( isset($_SESSION["error"]) ) {
echo('<p style="color:red">'.$_SESSION["error"]."</p>\n");
unset($_SESSION["error"]);
}
if ( isset($_SESSION["success"]) ) {
echo('<p style="color:green">'.$_SESSION["success"]."</p>\n");
unset($_SESSION["success"]);
}
?>
<form method="post">
<p>Account: <input type="text" name="account" value=""></p>
<p>Password: <input type="text" name="pw" value=""></p>
<!-- password is umsi -->
<p><input type="submit" value="Log In">
<a href="app.php">Cancel</a></p>
</form>
</body>
<?php
session_start();
if ( isset($_POST["account"]) && isset($_POST["pw"]) ) {
unset($_SESSION["account"]); // Logout current user
if ( $_POST['pw'] == 'umsi' ) {
$_SESSION["account"] = $_POST["account"];
$_SESSION["success"] = "Logged in.";
header( 'Location: app.php' ) ;
return;
} else {
$_SESSION["error"] = "Incorrect password.";
header( 'Location: login.php' ) ;
return;
}
}
?>
<html>
http://www.wa4e.com/code/sessions/login.php
POST-Redirect-GET-Flash
• POST detects error in input data
and puts a message into
$_SESSION and redirects

• GET sees the message in the


session, displays it and then deletes
it

• Flash = “Seen once”


Time

Browser
C123

Apache Redirect
login.php
$_POST

Bad PW
$_SESSION (S123)
Time

Browser Browser
C123 C123

Apache
login.php login.php
$_POST

Bad PW
$_SESSION (S123)
Time

Browser Browser
C123 C123 Bad PW Flash

Apache
login.php login.php
$_POST

$_SESSION (S123)
Time

Browser Browser Browser


C123 C123 Bad PW C123 Refresh

Apache
login.php login.php login.php
$_POST

$_SESSION (C123)
<?php
session_start();
if ( isset($_POST["account"]) && isset($_POST["pw"]) ) {
unset($_SESSION["account"]); // Logout current user
if ( $_POST['pw'] == 'umsi' ) {
$_SESSION["account"] = $_POST["account"];
$_SESSION["success"] = "Logged in.";
header( 'Location: app.php' ) ;
return;
} else {
$_SESSION["error"] = "Incorrect password.";
header( 'Location: login.php' ) ;
return;
}
}
?>
<html>
http://www.wa4e.com/code/sessions/login.php
<html><head></head><body style="font-family: sans-serif;">
<h1>Cool Application</h1>
<?php
if ( isset($_SESSION["success"]) ) {
echo('<p style="color:green">'.$_SESSION["success"]."</p>\n");
unset($_SESSION["success"]);
}

// Check if we are logged in!


if ( ! isset($_SESSION["account"]) ) { ?>
<p>Please <a href="login.php">Log In</a> to start.</p>
<?php } else { ?>
<p>This is where a cool application would be.</p>
<p>Please <a href="logout.php">Log Out</a> when you are done.</p>
<?php } ?>
</body></html>

http://www.wa4e.com/code/sessions/app.php
Time

Browser
C123

Apache Redirect
login.php
$_POST

account Logged In
$_SESSION (S123)
Time

Browser Browser
C123 C123

Apache
login.php app.php
$_POST

account Logged In
$_SESSION (S123)
Time

Browser Browser
C123 C123 Login Flash

Apache
login.php app.php
$_POST

account
$_SESSION (S123)
Time

Browser Browser Browser


C123 C123 Login C123 Refresh

Apache
login.php app.php app.php
$_POST

account
$_SESSION (C123)
logout.php
<?php
session_start();
session_destroy();
header("Location: app.php");
<html><head></head><body style="font-family: sans-serif;">
<h1>Cool Application</h1>
<?php
if ( isset($_SESSION["success"]) ) {
echo('<p style="color:green">'.$_SESSION["success"]."</p>\n");
unset($_SESSION["success"]);
}

// Check if we are logged in!


if ( ! isset($_SESSION["account"]) ) { ?>
<p>Please <a href="login.php">Log In</a> to start.</p>
<?php } else { ?>
<p>This is where a cool application would be.</p>
<p>Please <a href="logout.php">Log Out</a> when you are done.</p>
<?php } ?>
</body></html>

http://www.wa4e.com/code/sessions/app.php
Summary
• Redirect
• Post-Redirect-Get
• Flash Messages
• Sessions and Login / Logout
Acknowledgements / Contributions
These slides are Copyright 2010- Charles R. Severance (www.dr- Continue new Contributors and Translators here
chuck.com) as part of www.wa4e.com and made available under a
Creative Commons Attribution 4.0 License. Please maintain this
slide in all copies of the document to comply with the attribution
requirements of the license. If you make a change, feel free to add
your name and organization to the list of contributors on this page
as you republish the materials.

Initial Development: Charles Severance, University of Michigan


School of Information

Insert new Contributors and Translators here including names and


dates
Copyright Attribution
• Cookie Image: By brainloc on sxc.hu (Bob Smith) (stock.xchng) [CC BY 2.5

(http://creativecommons.org/licenses/by/2.5)], via Wikimedia Commons

You might also like