HEADS UP: Header Redirection http status codes
Posted: Wed Aug 19, 2009 3:07 am
I just wanted to give everyone a heads up regarding HTTP status codes and an issue I encountered with Google Chrome.
It's not unusual to redirect a user after they have logged in. Reference the following code:
The above code will redirect a user to the destination with no perceived issue. An issue does occur however with google chrome, because it appears to adhere to the HTTP standards more precisely.
Using PHP's header function to send a location tag will result in an HTTP status code of 302 being sent by default, unless you have already sent a 3xx status code. So what does this mean? It means that the browser can cache the result of the request resulting in future requests immediately requesting the url sent by the previous redirection header.
So if you request login.php, get redirected to account.php, then request login.php again, login.php will not be requested. Instead, the browser will directly request account.php.
In most cases this will not make any difference. I noticed that closing the session will clear the 302 redirection cache in Google Chrome. This issue became apparent to me because I had a page that redirected to another page for logged in users when specific criteria was not being met. I noticed that they were still being redirected even after the criteria was being met. Since the destination page was not redirecting them, I realized that Google Chrome was caching the redirect.
My first attempt to resolve this issue was to change the redirection status code to "307 Temporary Redirect". This caused issues in Firefox when I submitted a form. Firefox would ask me if I wanted to resubmit the post data to the new url.
I then reviewed the status codes on w3.org and discovered that for 302 redirects the response is ONLY cacheable if indicated by the Cache-Control or Expires header.
It's not unusual to redirect a user after they have logged in. Reference the following code:
Code: Select all
function redirect($url) {
header("Location: $url");
}
Using PHP's header function to send a location tag will result in an HTTP status code of 302 being sent by default, unless you have already sent a 3xx status code. So what does this mean? It means that the browser can cache the result of the request resulting in future requests immediately requesting the url sent by the previous redirection header.
So if you request login.php, get redirected to account.php, then request login.php again, login.php will not be requested. Instead, the browser will directly request account.php.
In most cases this will not make any difference. I noticed that closing the session will clear the 302 redirection cache in Google Chrome. This issue became apparent to me because I had a page that redirected to another page for logged in users when specific criteria was not being met. I noticed that they were still being redirected even after the criteria was being met. Since the destination page was not redirecting them, I realized that Google Chrome was caching the redirect.
My first attempt to resolve this issue was to change the redirection status code to "307 Temporary Redirect". This caused issues in Firefox when I submitted a form. Firefox would ask me if I wanted to resubmit the post data to the new url.
I then reviewed the status codes on w3.org and discovered that for 302 redirects the response is ONLY cacheable if indicated by the Cache-Control or Expires header.
The final solution was to send the Cache-Control and Expires headers, along with the 302.The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.
Code: Select all
function redirect($url)
{
header("Cache-Control: max-age=0, no-cache, no-store, must-revalidate"); // HTTP/1.1
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past
header("Location: $url", true, 302);
exit();
}