php - confusing about this cookies in redirecting system

Question

I work in PHP. I want to redirect page after login to the last page that i want to visit, but I'm still stack at here in 5 hours and I still don't make it yet. This is the schema, I have 3 php file.

newest.php (before login), 
signin.php (before login), 
thread.php (after login). 

I'm using cookies for this redirecting. First i went to the newest.php, then i clicked the button (go to thread.php). Then thread.php saw that you haven't loggin yet, then redirected to signin.php. After i fill the signin form then, i clicked the submit button (the signin.php), then I'm stack at signin.php (not going anywhere) even after I've loggin in, it should be go to thread.php automatically.

this is my code in newest.php & thread.php (not in signin.php):

$coopage='coopage';
$current_page='http://'.$_SERVER[HTTP_HOST].$_SERVER[REQUEST_URI];
setcookie($coopage, $current_page,time()+86400,'/');

submit button in newest.php (it goes to thread.php):

echo "<center><button onclick="window.location='/thread/form'">add new thread</button></center>"; 

in signin.php (after i clicked the submit button or in submit area, because form and after submit i made in the same page) (in the bottom of the page):

if(isset($_COOKIE[$coopage])){
    $url=$_COOKIE[$coopage];
    unset($_COOKIE[$coopage]);
    header('location:'.$url);
}

note: in signin.php i also have another cookie setup before this cookie, is that the cause of this? or does it matter if i have 2 cookies setup in one page? Another cookie setup is like this (at the top of the page)

$cooval2='juna';
setcookie($coousername, $cooval2, time() + (3600 * 24 * 365), "/"); // 1 year

Answer 1

I would not use cookies at all.

Method 1

A possible way could be to store the link visited into a session variable and then when the user reaches the login.php page, provide a header redirect to $url given by the session variable.

Paste this code into all your pages on your website or the main container.

<?php
session_start(); 
$_SESSION['url'] = $_SERVER['REQUEST_URI']; 

For the login page you can have:

<?php
session_start();  // needed for sessions.
if(isset($_SESSION['url'])) 
   $url = $_SESSION['url']; // holds url for last page visited.
else 
   $url = "student_account.php"; 

header("Location: http://example.com/$url"); 

Method 2

A simpler solution by far is simply to have:

<hidden name="redirurl" value="<? echo $_SERVER['HTTP_REFERER']; ?>" />

Then redirect to that address once they log in.

However, this is only good if you have a login box on every page.

$_SERVER['REQUEST_URI'] will simply hold the current page. What you want to do is use $_SERVER['HTTP_REFERER']. So save the HTTP_REFERER in a hidden element on your form, but also take note on that in the PHP that processes the form you will need some logic that redirects back to the login page if login fails but also to check that the referer is actually your website, if it isn't, then redirect back to the homepage.

Method 3

Another common way to do this is to pass the user's current page to the Login form via a $_GET variable.

change your script so that is also tells the login page to remember where you are:

Note: $_SERVER['REQUEST_URI'] is your current page

header("Location:login.php?location=" . urlencode($_SERVER['REQUEST_URI']));

Now check if it is populated, then send the user to this: login.php

echo '<input type="hidden" name="location" value="';
if(isset($_GET['location'])) {
    echo htmlspecialchars($_GET['location']);
}
echo '" />';
//  Will show something like this:
//  <input type="hidden" name="location" value="previousPage.php" />

login-check.php

session_start();

//  our url is now stored as $_POST['location'] (posted from login.php). If it's blank, let's ignore it. Otherwise, let's do something with it.
$redirect = NULL;
if($_POST['location'] != '') {
    $redirect = $_POST['location'];
}

if((empty($username) OR empty($password) AND !isset($_SESSION['id_login']))) {
    $url = 'login.php?p=1';
    // if we have a redirect URL, pass it back to login.php so we don't forget it
    if(isset($redirect)) {
        $url .= '&location=' . urlencode($redirect);
    }
   header("Location: " . $url);
   exit();
}
elseif (!user_exists($username,$password) AND !isset($_SESSION['id_login'])) {
    $url = 'login.php?p=2';
    if(isset($redirect)) {
        $url .= '&location=' . urlencode($redirect);
    }
   header("Location:" . $url);
   exit();
}
elseif(isset($_SESSION['id_login'])) {
    // if login is successful and there is a redirect address, send the user directly there
    if($redirect)) {
        header("Location:". $redirect);
    } else {
        header("Location:login.php?p=3");
    }
    exit();
}