当前位置: 文江博客话题详情

在登录表单/控制器中存储返回 URL 的位置

发布于 2024-09-18 15:25:46 字数 265 浏览 4 评论 0原文

我想知道如何最好地处理登录表单中的返回网址。我认为一个好的方法可能就是这里的做法。即对当前 url 进行 urlencode 并将其作为 get 参数发送到登录控制器。

然后可以在登录控制器中对其进行 url 解码。但那又怎样呢?我查看了 StackOverflow 登录页面,但在任何地方都找不到该 URL。它存储在哪里?登录完成后它如何知道去哪里?它存储在cookie中吗?会话变量?或者其他什么?

我想事情可能会与 PHP 中有所不同,但无论如何。有什么好的方法可以做到这一点?

原文

I am wondering how to best deal with a return url in a login form. I think a good way is probably how it is done here. That is to urlencode the current url and send it as a get parameter to the login controller.

This can then be urldecoded in the login controller. But what then? I looked at the StackOverflow login page, and I couldn't find that url anywhere. Where is it stored? How does it know where to go when the login is done? Is it stored in a cookie? Session variable? Or something else?

I guess things can be done a bit differently than in PHP, but anyways. What is a good way to do this?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

成熟稳重的好男人 2024-09-25 15:25:46

如果是我,我会在会话中设置返回 URL。通过这种方式,您可以计算适当的 URL 并将其与表示层分开。当检测到返回 URL 已设置且存在 post 对象时,您可以设置位置标头并退出脚本。例子...

// You have the URL to return to (could be a constantly updated session variable
// or simply set when a certain page is accessed via HTTP_REFERRER - it's open)
// in a MVC application (like stackoverflow) you could add this to the controller
// for any view with return functionality.
$_SESSION['RETURN_URL'] = $Url;

// Now you have validated and processed a form (from the model). If there is a 
// return url set, we redirect to it. Otherwise, we follow the default action of 
// the form
if ($FormValidatedAndSubmitted)
    returnToURL();

function returnToURL(){
    if (isset($_SESSION['RETURN_URL'])){
     header("Location: " . $_SESSION['RETURN_URL']);
     unset($_SESSION['RETURN_URL']);
     exit();
    }
}

If it were me, I would set the return URL in a session. This way you can calculate the appropriate URL and keep things separate from the presentation layer. Upon detecting a return URL is set, and a post object is present, you can set the location header and exit the script. Example...

// You have the URL to return to (could be a constantly updated session variable
// or simply set when a certain page is accessed via HTTP_REFERRER - it's open)
// in a MVC application (like stackoverflow) you could add this to the controller
// for any view with return functionality.
$_SESSION['RETURN_URL'] = $Url;

// Now you have validated and processed a form (from the model). If there is a 
// return url set, we redirect to it. Otherwise, we follow the default action of 
// the form
if ($FormValidatedAndSubmitted)
    returnToURL();

function returnToURL(){
    if (isset($_SESSION['RETURN_URL'])){
     header("Location: " . $_SESSION['RETURN_URL']);
     unset($_SESSION['RETURN_URL']);
     exit();
    }
}
回复 原文
时常饿 2024-09-25 15:25:46

如果它是静态 URL,那么您可以将其作为隐藏字段包含在表单中,然后在您的代码中重定向到它,即

<input type='hidden' name='return' value='/thankyou.html' />

然后在您的提交函数中...

header("Location: $_POST['return']");

在生产中,您显然希望在隐藏字段,然后在调用 header() 函数之前解密它并验证它是否是一个好的 URL,但这应该给你一个想法。

有些人使用 cookies,其他人则在数据库中使用查找表。将 URL 存储在何处并不重要,重要的是在 header() 之前对其进行清理。

编辑:清理

function isValidURL($url) {
   return preg_match('|^http(s)?://[a-z0-9-]+(.[a-z0-9-]+)*(:[0-9]+)?(/.*)?$|i', $url);
}

if ( isValidURL($_POST['return']) )
    header("Location: {$_POST['return']}");

正如我之前所说,如果您想更加小心,您可以在表单上显示和验证之前对实际 URL 进行加密/解密。那里有很多好的加密/解密库。

最重要的教训是永远不要对通过表单传入的数据真正“做任何事情”(例如在数据库中插入值、运行 shell 命令、重定向到 URL 等)。有人可以通过狡猾的方式操纵该隐藏字段并将代码注入到您的应用程序或数据库中。有数以千计的帖子展示了人们将通过表单注入执行的操作的示例。

If it's a static URL, then you can include it on the form as a hidden field and then redirect to it in your code, i.e.

<input type='hidden' name='return' value='/thankyou.html' />

Then in your submit function ...

header("Location: $_POST['return']");

In production, you'll obviously want to encrypt the URL in the hidden field, and then decrypt it and validate it as a good URL before invoking the header() function, but that should give you the idea.

Some folks use cookies, others have a lookup table in the DB. Doesn't really matter where you store the URL, it's just important that you scrub it before you header() it.

EDIT: Scrubbing

function isValidURL($url) {
   return preg_match('|^http(s)?://[a-z0-9-]+(.[a-z0-9-]+)*(:[0-9]+)?(/.*)?$|i', $url);
}

if ( isValidURL($_POST['return']) )
    header("Location: {$_POST['return']}");

As I said earlier, if you want to be even more careful, you can encrypt/decrypt the actual URL prior to showing on the form and prior to validation. There's a ton of good encrypt/decrypt libraries out there.

The take home lesson is to never actually "do anything" (such as insert values in a database, run a shell command, redirect to a URL, etc) with data that comes in via form. Someone could manipulate that hidden field and inject code into your app or db by being tricky. There's thousands of posts an examples of things that people will do through form injection.

回复 原文
~没有更多了~

关于作者

记忆消瘦

暂无简介

0 文章
0 评论
20 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

不再见

文章 0 评论 0

真是无聊啊

文章 0 评论 0

樱娆

文章 0 评论 0

浅语花开

文章 0 评论 0

烛光

文章 0 评论 0

绻影浮沉

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文