Here are my pages:

Redirect Page: if user has an open session, redirect to the proper resource else redirect to login page

Login Page: if user login info is valid, redirect to $_SERVER['HTTP_REFERER'] else display login page

When you visit the redirect page, it sees that you do not have a valid session and redirects to the login page. You can then login no problems, but after authentication I receive the "This webpage has a redirect loop." page in Chrome.

It's not a true loop, since there are several ways out (IE provide valid login details and go to destination resource, provide invalid login and receive error message, etc). But I can see the browser's confusion (going from a to b to a again).

Any ideas how I can solve this problem?

Cheers

$_SERVER['HTTP_REFERER'] will always be the login page since you have to load the login page right before you successfully login. So once you successfully login, the referrer is the login page, so the login page redirects you to the login page, which you still successfully logged in, so it logs you in over and over.

Rather than relying on $_SERVER['HTTP_REFERER'] you should probably store the page they are trying to get to in either a $_SESSION or $_COOKIE variable. Most likely session will be better, depending upon your setup.

After submitting your login details, $_SERVER['HTTP_REFERER'] is going to be the URL of your login page, since the last page the user saw was the form for them to login.

Consider storing the 'redirect to' url in the PHP Session before you redirect to the login page. You could also pass it as a parameter when you redirect to the login page, but I can see that approach having potential security flaws (such as redirecting users to another site, adding fake HTTP headers etc)

My guess is:

If the user has a session, but not a valid one (e.g.: the session hash does not match), it gets redirected to the login page (since he has a session). But when he gets there, you check if he has a session, and he does (but it's not valid), so you redirect him to the index resource. There, you check if the session is valid, but it's not. So you redirect him to the login page. And so on...

How to fix it? Check for session validity (not only for existence) in both the login page and the other resources.

And of course, if the HTTP_REFERER is login, ignore it and forward to the index resource.

You should always check that the $_SERVER['HTTP_REFERER'] variable contains valid data, as it is not to be trusted since user agents provides this value.

From the php.net manual

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted. 

You could let your login page do the redirection in one pass (without redirecting back to the "redirect page").