Blocking Header Redirects

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Blocking Header Redirects

Post by The_Anomaly »

In most of my web apps, there are pages that unauthenticated users can not access. If this conditional fails, then it redirects them with the header('Location: login.php '). or something similar.

How does this work? I mean, is it client side, in that the browser can ignore this redirect, and continue on the site? I mean, if there's a way to block the header redirect, they'd have access to the page.

In the past I've put exit after the header() for this reason, but I've never known how it works. Is it possible to stop an HTTP redirect?
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: Blocking Header Redirects

Post by arjan.top »

it would return:
HTTP/1.1 302 ...
Location: http://www.example.com

the brwoser can ignore it (or any other client, because its client side), that is why you need to stop executing php (exit()) after redirect
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Blocking Header Redirects

Post by kaisellgren »

arjan.top wrote:it would return:
HTTP/1.1 302 ...
Location: http://www.example.com

the brwoser can ignore it (or any other client, because its client side), that is why you need to stop executing php (exit()) after redirect
Or put them in a block like

Code: Select all

<?php
 
if ($logged)
 {
  // Do things
 }
else
 header('Location: login.php');
 
?>
Common thing that I do is:

Code: Select all

header('Location: login.php');
die('Your browser do not support header redirections. <a href="login.php">Click here to login</a>.');
Post Reply