Hi all, another challenge - if a user clicks a link to a secure part of my app and they’re not logged in, I redirect them to /login. However, upon login how do I then route them to their intended destination (including all URL params)?
Thanks in advance.
In the dynamic events of the form, select Server Connect => Success
with the browser component use something like Browser1.goto(’‘mypage.php’)
parameters can be added to the web page specified for the goto using an expression i.e.
‘mypage.php?id=’+{{userid}}+‘action=’+{{moredata}}
The problem with this is that you’re assuming that mypage.php is the page/link the user followed.
For exampke: a user click on a link such as /profile/edit but isn’t logged in. They would then be redirected to /login and on successful login be redirected to their intended destination, ie. /profile/edit.
I hope that clarifies my intentions.
Think so, you need them to be redirected to the page they previously requested which could be one of many different pages?
Many ways of doing this I am sure
One idea that comes to mind is drop a cookie or set a session variable (more secure) in the restricted pages to save the current URL then read it back and use it in the browser redirect . Bit of a pain but should work although I admit I have never tried. Doubtless others involving storing the referrer using PHP
Having said that, it does bring the idea of exposing the “forbiddenUrl” action as a dynamic event so actions could be set on authorisation failure to mind
Correct, this is quite a common feature of apps behind a login/pay-wall. Eg. A product inventory tracking app - a client might send you a link to a product and you're not logged in...instant bad usability from the perspective of the end-user (you in this instance) ie. login, "oh, I'm on the index page. Okay, I'll go back to my email and click on the link again..." Very annoying.
I admit I don't have much experience with Wappler or utilising session variabled within it. This is something I'll definitely have to research more. I see how to set a variable within a server action, I'm just not entirely sure how to consume it etc. Also not sure how I'd set a session var to the intended URL tbh. I've lots to learn for sure.
Thanks for your 2 cents 
Server sessions remain a weak point in wappler in my opinion, accessing server sessions is a pain.
Couple of techniques to look at
I have on occasions written a server action which does nothing more than return a server session variable as a app connect variable;
Something like
Action name: getMy Session
where the session is defined in globals
$_session.myvariable
the a set value stage in the server action with output set to output the content
Obviously this has a small processing overhead but it is tiny bu this can lead to timing issues
Alternatively use scripting (in this case PHP) to assign the session value to an app connect variable
resulting code would be:
<dmx-value id="varMyvalue" dmx-bind:value="<?php echo $_SESSION['myvariable'];?>"></dmx-value>
As you explained in your post, you can just use PHP to access server sessions.
Guys, Wappler does not forbid usage of PHP when it's needed There will always be cases when something not really available in the UI, so it's not a bad practice to add you PHP code on the page.
I agree @Teodor, you can’t do everything but would be nice to have a component in App Connect which returned the value of a server session variable, seems such an obvious omission to an otherwise comprehensive offering.
Sure, we will see what can be done 
I am beginning to realize that this will be extremely valuable on my website as well.
This would be my first venture into the world of sessions, and I’ve read all the topics here on Wappler that I could find, but I seem to be missing some steps because I have not been able to make it work.
I tried adding the browser component to the page and then using the value of referral in the session, but I did not see any session set on the page when I loaded it.
From looking outside of the Wappler community, it looks like I need to use $_SERVER[‘REQUEST_URI’]; as the value of the current URL that the user is on. I tried setting that as the value in various ways and did not see any session set on the page when I loaded it.
For my situation, I have a header that I include on my pages using the SSI include. I think it would be best to set the session within the header so that it auto-updates without me adding the session manager on every page I create. However, I am not sure if that is the best option or not. From reading, it looks like I would need to set and remove the session on each page load so that the appropriate URL is set as the value and if the user is redirected to the login, the correct URL would be saved and used.
How to redirect the user after login…
browser1.goto(query.return)
If you now redirect the user to the login page and add ‘?return=mypage’ at the end of the URL, after login they should be redirected to the page you want. Example:- mywebsite.com/login?return=edit-profile
Perfect! Thanks! That is just what I needed.
I took what you provided and added it into the Security Provider Enforcer as shown below
I tested it and it worked perfectly ! Thank you so much @max_gb
I should mention that I use routing on my pages which is why I used web-users instead of web_users.php
No problem. This method is also useful for when we send out specific emails to clients. For example, when a credit card has expired I want the user to go to the credit card page but first check they’re logged in. I send them to mywebsite.com/login?return=update-payment and then they end up in the right place.
Although I can not seem to find the topic now using the search, I do remember seeing someone ask about adding in the data picker into the Security Provider Enforcer. I just noticed that I would probably vote for that feature to be added as well because some of my pages use parameters with routing and it would be easier to use the data picker than try to remember how to add it in manually.
I think it was @George that responded to that request, but I could be wrong.
Hello,
I am trying to do this and got it working. but need to pass the query string too.
So when user goes to /mypage?form=123
The security provider should redirect to /login/?return=mypage?form=123
Basically we need a datapicker in the security provider…
any ideas?
[ended up using Conditional region so show login form on same page]
Wappler way you can use action scheduler to run browser extension to redirect the page.
Hi guys,
Is there a way to indicate the REFERER right into the Security Provider JSON options?
See $_SERVER[‘HTTP_REFERER’] below. I tried but the $_SERVER variable isn’t filled in and replaced by PHP inside the JSON steps, it breaks the app.
Any idea to pass the Referer through this method?
<?php require('dmxConnectLib/dmxConnect.php');
$app = new \lib\App();
$app->exec(<<<'JSON'
{
"steps": [
"Connections/DB",
"SecurityProviders/argon2idLogin",
{
"module": "auth",
"action": "restrict",
"options": {"permissions":"userAccess","loginUrl":"login.php?continue=**$_SERVER['HTTP_REFERER']**","forbiddenUrl":"index.php","provider":"argon2idLogin"}
}
]
}
JSON, TRUE);
?>Hi Fred.
This is only applicable to PHP and not NODE…
Security Enforcer - Redirect Only
I use security enforcer on my page, the PHP starts first, as the enforcer sits at the top op the page and will execute first… So even if I user browsergoto referrer it wont work, as the page never got to that code to do its thing. Im not talking about server side with server connect. Im strictly using the enforcer at the top of the page.
This is why I did this…
Sometimes i have a case where i give my client a link like this… this page is “protected” by security enforcer eg… www.test.com/goto/otherpage/page?id=122&code=18383838
When the client then clicks on this form an external link, and when you have security enforcer at the top it will just open and redirect to the physical path you set… as i cannot use referrer or anything as the enforcer execute first. So you will never get redirected from the page you come from.
So here is my “hack” solution
The i add the the “redirect link” code to the code below
Its basically modifying the original “enforcer” code
<?php
// Set link
$redirect_link = $_SERVER['REQUEST_URI'];
$redirect_link = str_replace('&', '@@S@P@@', $redirect_link);
$redirect_link = str_replace('?', '99x@x99', $redirect_link);
// Require the necessary files
require('dmxConnectLib/dmxConnect.php');
// Construct the JSON string
$json_string = json_encode([
"steps" => [
"Connections/db",
"SecurityProviders/YourSecurity",
[
"module" => "auth",
"action" => "restrict",
"options" => [
// Include the value of $redirect_link properly
"loginUrl" => "login?redirect=" . urlencode($redirect_link),
"forbiddenUrl" => "",
"provider" => "LoginRedirectForm"
]
]
]
]);
// Initialize the App
$app = new \lib\App();
// Execute the JSON data
$app->exec($json_string, TRUE);
?>
So in effect it will go to the login form and take your “redirect link” along in simple terms
Now on your login page, at the op of the page you can add the following php
<?php $redirect = isset ($_GET['redirect']) ? $_GET['redirect'] : '';
$redirect = str_replace('@@S@P@@', '&', $redirect);
$redirect = str_replace('99x@x99', '?', $redirect);
?>
Now we will bring back the & ? where applicable… So that your link is 100% correct.
So in your form that does the login
<form action="dmxConnect/api/login.php" method="post" name="loginmember" id="loginmember" is="dmx-serverconnect-form" dmx-on:success="browser1.goto(refferervalue.value)">
<dmx-value id="refferervalue" dmx-bind:value="'<?php echo $redirect; ?>'"></dmx-value>
// all your other fields required..... can come here
</form>
So once you submit the login it will know where to go.
This is the only way i could make it work for security enforcer.
One could also use a session i guess
$_SESSION['redirect_link'] = $redirect_link;
and then in the enforcer something link this
"loginUrl" => "login?redirect=" . urlencode($_SESSION['redirect_link']),