We have a PHP application that has a checkIfUserIsLoggedIn function and an $user_logged_in object is passed in to check if the user is logged in. On failure we need to redirect this user to the login screen on the same domain they’re currently on. Keeping them on the same domain is something we have to do because this application responds to many different domain names.
Here is the original code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
1 2 3 4 5 6 7 8 9 10
What is wrong with it?
It gets worse…
What happens when you do this type of log in check and then update a record?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
There is still something wrong with it…
- Invalid users can update data as they please.
Where did we go wrong!?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
- Always exit your PHP if you have to do a non-PHP URI redirect!