PHP redirect using SESSION value

Forum Moderators: phranque

Message Too Old, No Replies

PHP redirect using SESSION value

Can/How do I redirect based on session values?

wesmat

4:55 pm on Jul 6, 2017 (gmt 0)

This is my first post, so be gentle. I am also more of a database admin than a web dev, so This there may be a simple solution that I am missing.

First, this is a LAMP stack.
The requirement: I need to redirect a specific set of users. Right now the redirect is done using code included in almost but not all php scripts. (It is the database connection script). However, there are a few scripts that do not call this common code. Is it possible to make a redirect decision at the web server level but use session values? The flow I imagine is:

- user logs in; session now contains the values to know if the redirect needs to happen
- user eventually accesses a page that needs to be redirected but does not call the code that is now doing redirect
- apache checks the session to determine if redirect is required and does redirect if needed.

Step 2 could be eliminated if a solution is possible, so that every page is redirected by apache after login.

Any ideas?

csdude55

5:38 am on Jul 9, 2017 (gmt 0)

To my knowledge, the only "good" option is to do this in PHP. Then it's simple. I don't think that .htaccess can read SESSION files.

You CAN do it with a cookie, though. If you can assign a regular cookie when they log in (in this example, "redirect=1"), then you could do something like this in the .htaccess:

RewriteCond %{HTTP_COOKIE} ^(.*)redirect=1(.*)$ [NC]    
RewriteRule ^(.*)$ https://www.example.com [L,R=301]

Or if you're like me and have to deal with people intentionally blocking cookies to get around filters, then do it the other way around; assign a cookie for users that shouldn't be redirected, then redirect those that don't have a cookie set.

lucy24

5:54 pm on Jul 9, 2017 (gmt 0)

Ahem, cough-cough:

RewriteCond %{HTTP_COOKIE} redirect=1 
RewriteRule ^pagename https://www.example.com/otherpage [L,R=301]

no capturing, no anchors and no [NC] needed, since it's your own cookie and you know its casing. But if the redirect is associated with a specific page, then that has to go in the pattern.

If, instead, you are looking for the absence of a cookie, then you may also need to know whether the cookie is not present at all, or whether it still exists but has a value of 0. This becomes much easier to check if the cookie is always in the same location, such as beginning or end of the current cookie string.

After the redirect has taken place, will you need to un-set the cookie, or does it no longer matter?

wesmat

4:05 pm on Jul 10, 2017 (gmt 0)

Thanks, I suspected that PHP was the best/only solution, but I was hopeful that apache could access the seesion via another means. I hesitate going to cookies simply because adding cookie complexity for this single need isn't worth it, or rather adding the php to handle this case is simpler. So, I'll be adding this check to the outlying cases that don't already have database access.

Thanks for the sanity check.