This is how I solved it.
First on every page where the user enters I have this statement:
Code:
$_SESSION['last_page']=$_SERVER['PHP_SELF'];
(Well as a matter of fact this is part of a housekeeping routine which does much more, but that is more application specific.)
Then, when user permissions have to be checked, it is done like this:
Code:
$permissions=$_SESSION['permissions'];
if (!($permissions & PERM_CH_DAY_REP)){
//if (false){
if (!$_SESSION['no_ask_login']){
js_alert ("You are not logged in or you do not have sufficient permissions to make changes on this page");
http_goto_url ("login.php");
js_alert is a java script showing a message box, not relevant here.
http_goto_url is this piece of code:
Code:
function http_goto_url ($url){
?>
<script type="text/javascript">
window.location.href = "<? echo $url; ?>"
</script>
<?
In the same way when the login is done, I retrieve the last page from $_SESSION and jump to this page again using the http_go_url function.
The reason that I use javascript is that this is the *only* way to go to a new URL if you are halfway your PHP code before you decide you want to go to a different page.
Also, using only PHP there is *no* way to clear the login screen and go back to your original page without jumping to a new URL. You you have to use javascript if you want to jump back and forth.
In fact my application is a bit more complicated. When users hit the login page, they are shown the option not to login at all and continue in read-only mode. There is also an option to supress any future warnings and you are not redirected automatically to the login page in the future. (That is the use of the checking of $_SESSION['no_ask_login'] in the 'if' statement above.)
It all works flawlessly, there is just one problem. If a user changed data on a page and presses submit, the function which processes the new data checks if the user is logged in. If not, the user is presented the login page. After that he goes back to his original page. Unfortunately the form is empty by then. That is not pleasant and a huge penalty for forgetting to log in.
Therefor the user should be obligated to login before he can enter any data.
jlinkels