html - Trying to understand the Post/Redirect/Get design pattern (implemented with PHP) -

all,

sorry in advance - i'm not php expert or knowledgeable in design patterns, question might little basic...

anyway, i'm working on web app require login.

my plan have this:

index.php: page contain simple form allows users enter username , password. form post inputs to...

login.php: page receive inputs index.php, , check credentials against database. if of inputs missing, or credentials check fails, php script redirect user index.php using:

header('location: http://www.mydomain.com/index.php'); 

if credentials valid, login.php creates session establish user's authenticated status:

session_start(); $_session['authenticated'] = true; 

then, determines access type user has. if has "level 1" access, script redirect user level1.php using:

header('location: http://www.mydomain.com/level1.php'); 

if user has "level 2" access, script redirect user level2.php using:

header('location: http://www.mydomain.com/level2.php'); 

finally, when level1.php or level2.php reached, first thing check session. if user not authenticated, redirect him index.php:

session_start(); if (!isset($_session['authenticated']) {     header('location: http://www.mydomain.com/index.php'); } else {     // proceed display page } 

having check in level1.php , level2.php prevent users accessing page directly, without logging in.

my first issue this: simple logic fails first time through - when level1.php reached, "isset($_session['authenticated']" always returns false, user redirected index.php. if enters exact same credentials second time, process works should.

in short, reasons don't understand, seems session that's set login.php not found level1.php - assume because of redirect. in other words, check on level1.php seems fail until/unless round trip made client's browser.

since every site requires login has solved problem, shouldn't novel challenge, , should established pattern it. how should handle it?

a related question... i've seen similar questions asked here before, , answers involve solution in pages posting themselves. seems little wierd - ideally, i'd have each php page perform specific job:

• index.php - display form capture credentials, post them login.php
• login.php - evaluate user's credentials, direct them appropriate page
• level1.php & level2.php - display appropriate content

is flawed setup? if so, what's better setup?

and - if 1 page establishes session, redirects user page - there way second page can read session?

there's great page on wikipedia post/redirect/get:

http://en.wikipedia.org/wiki/post/redirect/get

but it's little conceptual me - i'd see explained references specific pages:

e.g. form on "page a" posts data "page b", "page b" redirects user "page c", etc...

and, don't understand how it's implemented sessions, if sessions aren't recognized when using redirects.

many in advance advice , insights.

---

[update]

thanks matt ball's comment, i've refined issue:

login.php setting session , redirecting user next screen:

session_start(); $_session['authenticated'] = true; header('location: http://www.mydomain.com/level1.php'); 

however, when level1.php checked session, "authenticated" not set:

session_start(); echo (isset($_session['authenticated']); // returns false 

however, if changed login.php header redirected relative url instead of absolute one:

session_start(); $_session['authenticated'] = true; header('location: level1.php'); 

then, level1.php works expect:

session_start(); echo (isset($_session['authenticated']); // returns true 

i don't understand why relative url makes difference, does. so, @ least immediate issue resolved.

many commented!

---

cheers, matt stuehler

post redirect comes in play stop user resending post data if refresh page they've been redirected after submitting form. when want implement prg, should set http header code 303 this:

header('location: level1.php', 303);