I have a login page (login.php) that redirects to my main page (dashboard.php). When the user POSTs their email and password to login.php I validate credentials, create a CSRF token, store it in the session, and then redirect to dashboard.php. Upon redirection, however, dashboard.php is doing it's own validation of the session and CSRF token. Since it's a redirect in php, I cannot attach any custom headers to contain the CSRF and dashboard.php is redirecting back to login.php. I thought I may be able to handle this with JavaScript but haven't found any examples of redirecting to another page in JavaScript and including the CSRF token in a header. I know I could redirect with a GET variable using the CSRF token but that seems insecure.
Login.php
<?php
$user = new AuthenticatedUser($dbh);
$loggedIn = $user->isLoggedIn();
if ($user->isLoggedIn())
{
header("Location: dashboard.php");
die("Redirecting to dashboard...");
}
if (isset($_POST["email"]) && isset($_POST["password"]))
{
$user->login($_POST["email"], $_POST["password"]);
if ($user->isLoggedIn())
{
header("Location: dashboard.php");
}
}
dashboard.php
<?php
$dbh = new Database();
$authUser = new AuthenticatedUser($dbh);
// When constructing the AuthenticatedUser class object in dashboard.php the
// constructor function checks to see if the user has a session and if so then
// checks for the CSRF is set. If it's not the class flips the flag for
// isLoggedIn which in turn tells dashboard.php to redirect back to login.php
if (!$authUser->isLoggedIn())
{
header("Location: login.php");
die("Redirecting to login...");
}
?>
