Asked  7 Months ago    Answers:  5   Viewed   42 times

The title of this question kind of explains my question. How do I redirect the PHP page visitor back to their previous page with the header( "Location: URL of previous page" );




header('Location: ' . $_SERVER['HTTP_REFERER']);

Note that this may not work with secure pages (HTTPS) and it's a pretty bad idea overall as the header can be hijacked, sending the user to some other destination. The header may not even be sent by the browser.

Ideally, you will want to either:

  • Append the return address to the request as a query variable (eg. ?back=/list)
  • Define a return page in your code (ie. all successful form submissions redirect to the listing page)
  • Provide the user the option of where they want to go next (eg. Save and continue editing or just Save)
Wednesday, March 31, 2021
answered 7 Months ago

In the case of this particular site, the redirection is done through JavaScript with window.location.replace() so you'll need to look in the body of the response:

$c = curl_init();
curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
curl_setopt($c, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($c, CURLOPT_URL, "");
$html = curl_exec($c);
$redirection_url = preg_match("/window.location.replace('(.*?)')/", $html, $m) ? $m[1] : null;
echo $redirection_url; //
Saturday, May 29, 2021
answered 5 Months ago
  1. On the page they try to login set a session variable containing the URL of that page.
  2. Then redirect them to the login page.
  3. After a successful login get the previous URL from their session and redirect them there.

Have the page that does the redirecting set a session variable that is the URL of that page:

if (!$logged_in)
    $_SESSION['redirect_url'] = $_SERVER['PHP_SELF']; 
    header('Location: login.php');

Then after a successful login redirect them to that URL:


/* Login code goes here */

$redirect_url = (isset($_SESSION['redirect_url'])) ? $_SESSION['redirect_url'] : '/';
header("Location: $redirect_url", true, 303);

The above can be improved upon but this should give you the idea.

Saturday, May 29, 2021
answered 5 Months ago

You can not rely on the HTTP REFERER because users can manipulate it and browsers can refuse to send it.

The only "secure" way would be to set a session variable on register.php and check if that variable is set on confirm.php. Something like this:


$_SESSION['valid_user'] = true;


if(!isset($_SESSION['valid_user'])) {
    die("You did not come from the page i specified!");

However, this will not take into account if the latest page was register.php, BUT that the user have been on register.php.

Because HTTP is stateless, you need to keep track of this at the server level. If you don't have a authenticated user for which you can track all pageviews, this is going to be very hard to implement. How secure do you really need it to be?

Saturday, May 29, 2021
answered 5 Months ago

This is a documented feature in apache 2.4. See

Translation of headers to environment variables is more strict than before to mitigate some possible cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped.

Thursday, July 29, 2021
answered 3 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :