Passing arguments via header in php

I have 3 files:

• login.html
• login_check.php
• welcome.php

In login.html when the username and password is entered and submit button is clicked login_check.php checks whether the username entry is in the database on the basis of $_POST['username'] and some SQL query. Now I have put the following code at the bottom of login_check.php

login_check.php:

header('Location:welcome.php') 

开发者_JS百科But I want to pass $_POST['username'] from login_check.php to welcome.php so that I can make use of $_POST['username'] in my welcome page. Is there any way by which I can pass an argument like in the above case?

Use session instead because you would be showing the user's name everytime on the welcome page no matter which page you land at welcome page.

You can set the session on login_check page like:

session_start(); // this should be on top of login_check file

// this goes just before redirect line
$_SESSION['username'] = $_POST['username'];

Now on the welcome page, you can show username like:

session_start(); // this should be on top of welcome page.
echo `Welcome ` . $_SESSION['username'];

This can be done using QUERY_STRING (I am sure you have seen it before - these ?'s and &'s in the address bar), but you shouldn't do it as it's just insecure.

A session is the common way to store a username after login and authorization in general.

The session should only be used for session data - not for data relating to a specific page transition. However recording the fact the user has been authenticated and the the username with which they authenticated is session data.

So while you shouldn't use session data to pass information from login.php to login_check.php, in login_check.php, if the authentication is succesful, then you should then store the authenticated username in the session.

While, as Col. Shrapnel says you could do:

header('Location:welcome.php?username=' . urlencode($_POST['username']));

This is trivial to circumvent - you just need to type welcome.php?username=admin into your browser to break the security.

If that's still not clear, consider the situation where the user has two browser windows open at the same time, navigating through different parts of the site (i.e. using same session data). If both browser submit data at the same time which is written to the session and you're not sure of the outcome, then you probably shouldn't be keeping the data in the session.

HTH

C.

Using the header(www.xxx.com?action='') would be the only way to transfer without storing it as a session.