Alright, so I have an extremely basic login script that doesn't actually load a page before redirecting. It sets a cookie and then uses the header function to redirect to a new page.

PHP Code:

header('Location: http://www.the-portkey.com/index.php'); 


The problem is on the next page. I use the variable $_SERVER['HTTP_REFERER'] to check that it was 'login.php' that referred the user to this page, but since the login script never actually loads, the variable returns the wrong URL. Is there a way to get past this? It's probably an easy fix, I'm just completely lost.

You are right about the server returning HTTP_REFERER as the original loaded page, but that is not very secure because a hacker can manipulate that data since the referrer is set by the users browser in the http headers.

Your best bet is to use sessions, and once a user is ofically logged in, set a session var to be true for the user. Sessions are more secure because the data is stored on the web server and cannot be manipulated by a malicisious user. Once the user is ofically logged out, set the same session var to be false.

Yes, thanks, I know this is very true, and I do have plans to change this, but I still have the same problem. I guess I didn't phrase it correctly, so let me try to tell you exactly what I'm doing.

Depending on some circumstances, I want to initiate a popup window when they login, and only when they login. The problem is, they login from any page on the site from the sidebar. I tried using javascript in the login file itself, but this causes an error since I am using the 'header' function in PHP. My next idea was to use HTTP_REFERRER and check which file had been the referrer so that if it was 'login.php', the window would initiate, but as you said it is insecure and not the best approach. Also, since I use the 'header' function, 'login.php' never actually loads, and the variable returns the previous page. I guess overall 'header.php' is my main problem. Does anyone know another way to do this?

How I would do this is on the script of the login page (that only processes the login but doesn't load as a full page) set a session var something like:

$_SESSION['javascript_login'] = true;

Now in your templates, include a javascript function that opens the popup window. On the next loading page, have the body html tag onload event triggure the popup if the php session var is set.

PHP Code:

<html>
  <head>
  . . .
  <!-- Include Javascript Code //-->
 
  </head>
  <body<?php if (isset($_SESSION['javascript_login']) && $_SESSION['javascript_login'] == true) { echo ' onload="loginPopup()"'; $_SESSION['javascript_login'] = false; }?>>
  
  . . . 
  
</html>