I am confused about PHP Post/Redirect/Get

Question

In an article on preventing PHP form resubmissions, I read the following:

(Not quoting) This could be the page that receives the form data, for example called "form.php":

<form action="submit.php">
  <input type="text" name="user" required />
  <input type="password" name="pass" required />
  <input type="submit" value="Log in" />
</form>

The page that would process the POST data would therefore be called "submit.php". If the login went correctly, this code would run:

header('Location: /login/form.php?success=true');

However, couldn't a user just navigate to the URL above? Also, what is the purpose of the GET variable? Couldn't I just have a script at form.php that checks if the user is logged in?

At submit.php, should I save the logged in username as $_SESSION['username'], and then check if isset() at form.php? Also, since a URL with "success" in it isn't really pretty, is it economical to redirect the user once again? Should I use PHP header() or Javascript window.location.href? As you see, I'm sort of confused.

Thanks for any help.

Answer 1

However, couldn't a user just navigate to the URL above?

Yes, he can. This will not cause anything bad though.

Also, what is the purpose of the GET variable?

To have some flag that represents the fact that the form has been processed successfully and you need to congratulate user.

Couldn't I just have a script at form.php that checks if the user is logged in?

Uhm, you can keep your code in the way you like. There is no any strong requirements

At submit.php, should I save the logged in username as $_SESSION['username'], and then check if isset() at form.php?

If you need to persist it across the current session - yes, do so.

Also, since a URL with "success" in it isn't really pretty, is it economical to redirect the user once again?

Redirect where. Redirection is pretty cheap thing.

Should I use PHP header() or Javascript window.location.href?

You definitely should do that in php, otherwise you'll get the troubles you're trying to avoid following PRG-way.

Answer 2

PRG or Post/Redirect/Get is just a pattern you can use to prevent the message boxes. How you use it in detail (and the article does only a generic suggestion) depends on your needs.

If you want to flag the success flash message inside a cookie or a session or a get variable, that's totally up to you. A second redirect won't help btw, you'll learn that if you play around with it.

The only important part is, that after you have received the POST request, you do the redirect. The user then can still move back and forward in history w/o being asked to re-submit POST data.

The pattern works and is a fine thing. Just two days ago I did it again and a step-by-step weppapp installer was much nicer to navigate with the browser interface.

About your redirect

This code is wrong:

header('Location:/login/form.php?success=true');

First of all, you need to have a space after the colon:

header('Location: /login/form.php?success=true');

Then the address must be an absolute URI, it must contain the full URL:

header('Location: http://example.com/login/form.php?success=true');

Next to the header(), you should provide a message body as per RFC, many so called "web-developers" don't even know:

$url = 'http://example.com/login/form.php?success=true';
header(sprintf('Location: %s', $url));
printf('<a href="%s">Moved</a>.', $url);
exit;

Don't forget the exit. Sure, that's pretty much re-enventing the wheel, instead install the http extension of PHP and just do this line:

http_redirect('/login/form.php?success=true');

You find that nifty helper here.

To recap: Important is that you do the redirect after post. Everything else, like passing a variable is totally up to you how you would like to do it.