While testing, I found a slight "gotcha" on one of my forms, and I'm not sure what is a reasonable solution?! (It deals with the "stickiness" of the Form.)
I have a simple "Send Private Message" form which has the following fields:
If a User is logged in, completes the Form, but there are errors, I echo back the values entered with an error message (e.g. "Subject must be less than 40 characters.")
Here is the code I use to do this...
<!-- PM Subject -->
<input id="pmSubject" name="pmSubject" type="text" maxlength="40"
value="<?php echo (isset($trimmed['pmSubject']) ? str2htmlentities($trimmed['pmSubject']) : ''); ?>" /><!-- Sticky Field -->
echo '<span class="error">' . $errors['pmSubject'] . '</span>';
This part works fine, however, here is the problem I just discovered...
Let's say JaneDoe has my website loaded in two browser windows. And in one window, she opens up the "Send PM" form, types a long PM to her girlfriend, and then gets distracted by her kids.
Later, she comes back to her PC, and goes to the second window, does whatever, and clicks "Log Out".
Before shutting off her computer, she realizes the first window, and clicks on "Send PM".
The problem is that to my server she is logged out...
Since you have to be logged in to send a PM, at the top of my "send-pm.php" script, I have this code...
// Set Redirect Path.
$_SESSION['returnToPage'] = "/account/send-pm/" . $_GET['user'];
// Redirect to Outcome Page.
header("Location: " . BASE_URL . "/account/results.php");
// End script.
This code was intended to mark the User you want to PM, take you to my "log-in.php" script, log you in, and then bring you back to a BLANK "Send PM" form which is pre-populated with the Username captured above.
And so JaneDoe just lost her 10 page PM to her girlfriend in this scenario...
I assume this is unacceptable??
Should I be saving the whole "Send PM" form in case this scenario happens?
Or is it okay to just have a "sticky" form when POST is involved?
Hope all of this makes sense?!