I created a php script that looks at whether the admin is logged in using PHP session. If they aren't logged in, the script sends them back to the last page they were on with an error message.
$Message = urlencode(" Authentication Timeout: 1");
header("Location: {$_SERVER['HTTP_REFERER']}?Message=".$Message);
And on the main.php page I have this code to check for the $Message:
<?php
if(!empty($_REQUEST['Message'])){
echo "<font color='red'>".$_REQUEST['Message']."</font>";}
?>
However, if this event is triggered, the browser show ?Message=TEXT even after being returned. And the text that shows up as well as in the URL doesn't go away until you refresh the page. Another thing I noticed is that if you just add ?Message=SomeText to the end of the URL, then the message code is triggered for that page, which is expected because the php code is searching for ?Message.
What would be the best approach for removing the text from the URL, but still being able to display the error message?
Use sessions
on the protected page:
$_SESSION['response'] = 'authentification failed'; // set message in a session
header('Location: '.$home); // Redirect to homepage
die; // stop executing the script
on the default page:
if(isset($_SESSION['response'])){ // check if session set
echo $_SESSION['response']; // output Content of session
unset($_SESSION['response']); // delete session
}
Read about flash messages. It is generally an approach to store a session of the message and if that session exists while the page load, then you show it to the user and remove that session. So even after a reload the message won't be there anymore.
Before redirect:
$_SESSION['flash'] = 'text';
After redirect:
echo $_SESSION['flash'];
unset($_SESSION['flash']);
Of course you should do some isset validation.