Redirect on successful login

1 Views

I am using the following snippet to control redirects after successful logins…. 

add_action( 'wp_login', 'redirect_on_login' ); // hook failed login
function redirect_on_login() {
            $referrer = $_SERVER['HTTP_REFERER'];
            $homepage = get_option('siteurl');
            if (strstr($referrer, 'incorrect')) {
            wp_redirect( $homepage );
            }
            elseif (strstr($referrer, 'empty')) {
            wp_redirect( $homepage );
            }
            else
            {  
            wp_redirect( $referrer );
            }
        }

What i want it to do is this…

Read More
  • If $referrer is www.mydomain.com/?login=incorrect then redirect to the homepage
  • If $referrer is www.mydomain.com/?login=empty then redirect to the homepage
  • Anything else then redirect to $referrer

I’m sure there is something wrong with my logic as whatever $referrer is it just redirects me to the same. Am i missing something obvious?

UPDATE

As requested, here is a bit more of an explanation…

  • Somebody goes to my custom WordPress login page at www.mydomain.com
  • They try to log in with an incorrect password or username

  • The following function runs… 

    add_action( 'wp_login_failed', 'pu_login_failed' ); // hook failed login
function pu_login_failed( $user ) {
    // check what page the login attempt is coming from
    $referrer = $_SERVER['HTTP_REFERER'];
    $loginpage = 'http://www.mydomain.com/login';
    // check that were not on the default login page
    if ( !empty($referrer) && !strstr($referrer,'wp-login') && !strstr($referrer,'wp-admin') && $user!=null ) {
        // make sure we don't already have a failed login attempt
        if ( !strstr($referrer, '?login=failed' )) {
            // Redirect to the login page and append a querystring of login failed
            wp_redirect( $loginpage . '/?login=incorrect');
        } else {
            wp_redirect( $referrer );
        }
        exit;
    }
}

This is how the ?login=incorrect gets added, I am probably going about it the wrong way though

Post Views: 1

Related posts

Leave a Reply

2 comments

  1. According to the Codex page for wp_redirect(), you should follow your wp_redirect() calls with exit.

    add_action( 'wp_login', 'redirect_on_login' ); // hook failed login
function redirect_on_login() {
    $referrer = $_SERVER['HTTP_REFERER'];
    $homepage = get_option('siteurl');
    if (strstr($referrer, 'incorrect')) {
        wp_redirect( $homepage );
        exit;
    } elseif (strstr($referrer, 'empty')) {
        wp_redirect( $homepage );
        exit;
    } else {  
        wp_redirect( $referrer );
        exit;
    }
}

    If that doesn’t work, try commenting out your wp_redirect() calls and then echo( $referrer ); to see if $referrer is set correctly.

  2. What you want: If the GET-var ‘login’ is set to ‘incorrect’ or ’empty’, redirect the user to the homepage. Else redirect him to whatever the referer is.

    But there is no hook like wp-login. But there is a usefull hook called login_redirect.

    And there is a problem: The PHP manual says about $_SERVER['HTTP_REFERER']:

    The address of the page (if any) which referred the user agent to the
    current page. This is set by the user agent. Not all user agents will
    set this, and some provide the ability to modify HTTP_REFERER as a
    feature. In short, it cannot really be trusted.

    add_action( 'login_redirect', 'redirect_on_login' );

function redirect_on_login( $redirect_to ) {

  $homepage = get_site_url();

  // get whatever is stored in the GET-var 'login'
  $login = filter_input( INPUT_GET, 'login', FILTER_SANITIZE_STRIPPED );

  // if the content of 'login' is in the group (here as array), redirect to the homepage
  if ( in_array( $login, array( 'incorrect', 'empty' ) ) ) {

    return $homepage;

  } else {

    // $_SERVER['HTTP_REFERER'] cannot really be trusted and $referrer can be empty.
    // setup a default location for redirecting.
    // @see: http://php.net/manual/en/reserved.variables.server.php
    $referrer = ( isset( $_SERVER['HTTP_REFERER'] ) && ! empty( $_SERVER['HTTP_REFERER'] ) ) ?
      $_SERVER['HTTP_REFERER'] : $homepage;

    // wp-login.php use wp_safe_redirect, this means only pages on the same domain are accepted
    // @see: http://codex.wordpress.org/Function_Reference/wp_safe_redirect

    // get the host of our blog (strip scheme like http:// and https://)
    $host = parse_url( $homepage, PHP_URL_HOST );

    // check if the referrer is on the same host as the blog
    $redirect_to = ( false != stristr( $referrer, $host ) ) ?
        $referrer : $homepage;

    return $redirect_to;

  }

  // if everything fails, return the original value
  return $redirect_to;

}

    We will end up in this script. At first use the right hook (login_redirect). This is a filter and it accept one value, the rediretion target. So our function should return a new or modified redirection target.

    In our function get the GET-var login and check if it is set to one of the accepted values (‘incorrect’ or ’empty’). If it is so, set the redirection target to the homepage (site-url).

    If not, try to get the value of $_SERVER['HTTP_REFERER']. As mentioned above, we cannot trust this value, so setup a default value if $_SERVER['HTTP_REFERER'] is empty or something we can’t use.

    Finally check if the redirection target (maybe the referer) is on the same host as the blog. This is needed because login_redirect use wp_safe_redirect() and this function only accept local targets as redirection.