I am developing an eCom system for a client and just recently put the login.php file behind the SSL. I added some code to make sure they are always behind the SSL when they try to login, but it's also had another unfotunate side-effect.

Here's how I have the top of the page programmed:

//-- PROCESSING THE LOGIN REQUEST --//
if(isset($_POST["login_x"])) {
	require_once("".$_SERVER["DOCUMENT_ROOT"].$_SESSION["root_directory"]."includes/validate_login_inc.php");
}

//-- RE-DIRECTING USER BEHIND THE SSL --//
if($_SERVER["HTTPS"] != "on") {
".$_SERVER["PHP_SELF"];
	if(!isset($_POST["login_x"])) header("Location: ".$_SESSION["ssl_root_directory"]."login.php");
}

So in the validate_login_inc.php file I'm checking the user's username and password against what's in the table. If they are an "administrator", they stay behind the SSL for all the admin pages and all works like a champ. But when I try to login as a cusomter, and re-direct to a normal [url]http://[/url] address, it is continually bringing me back to the login.php page. I know that it's hitting the /validate_login_inc.php file as it is adding the expected variables to my session.

If it's writing those variables to the session, it has passed the login and then at the end of that routine, I say:

				if($_POST["pass_back_to_page"]) {
					header("Location: ".$_POST["pass_back_to_page"]."");
				} else {
					header("Location: ".$_SESSION["default_url"]."");
				}
				exit;

So since the successful user should already be directed to the customer home page, I'm at a complete loss for how they are getting back to the login.php file and then being re-direceted to the login behind the SSL.

Any ideas?

    Your not completely at a loss, that would only happen when your computer blows up and you lose 3 months work (boy, does that suck) and you can't be arsed re-creating it, but that goes under "can't be arsed".

    Is it mandatory you use the header() function? there is meta re-directs, javascript re-directs and the comments under the function header() in the PHP manual.

      Are you getting any errors? Try this code:

      				ini_set('error_reporting', E_ALL);
				ini_set('display_errors', '1');
				if($_POST["pass_back_to_page"]) {
					header("Location: ".$_POST["pass_back_to_page"]);
					echo 'redirecting to: ' . $_POST["pass_back_to_page"];
				} else {
					header("Location: ".$_SESSION["default_url"]);
					echo 'redirecting to: ' . $_SESSION["default_url"]
				}
				exit;

      EDIT: Paste us all output, too.

        Write a Reply...