When i enter to the user restricted area , im redirect to the user login page ($this->response->redirect('login.php'));
but on login.php i couldn get the $_SERVER['HTTP_REFERER'] to redirect user after login.
Never rely on $_SERVER['HTTP_REFERER']. It is supposed to be sent by the browser, but is not guaranteed.
I'm doing something similar to this in my current project. Rather than simply doing a redirect to "login.php" though, I append the requested URL. So an unauthenticated request to "/programs/administrator" will redirect the user to "login.php?r=/programs/administrator/". Admittedly it's not as pretty of a URL, but I don't mind. If you do, you could always store that in the session instead of the URL.