Basically, I am checking to see if the user is logged in and if not I will use header('location: login.php') to redirect to the login page.
I am confused if the browser is actually redirecting or the server? If it is the browser then would it be possible for the user to prevent the browser from redirecting and view the contents of the page?
Yes, it is not the browser that is re-directing, but php before anything is sent to the browser.
Just make sure you use exit() after your header call and that nothing is outputted to the browser before your header call.
If by "enough", you mean that the information will not be exposed to anyone who is not authenticated, even if they sniff the network traffic, then you must simply not send the information in the body of the response to any non-authenticated request.
Something like this should be enough:
header('location: login.php');
exit; // make sure not to echo anything in the body
It will cause the browser to receive an HTTP header and start a totally new request to login.php, while not revealing any of the sensitive info in the response.
Well, keeping it simple, checking for specific variable and based on it , deciding for redirect / showing contents is okay...something like this will work for you..
if(your condition){
header(Location: login.php)
exit() or die() ;
}else{
show contents.....}
The server is redirecting. The client browser gets directed to the page the server sends through the header modification. The user is not able to prevent the redirection from the page, but is able to see content after that line of redirect code header('location: login.php');
// print to error log before and after header redirect to show code is executed after the redirect
error_log("before redirect");
header('location: login.php');
// this will get get executed. To prevent, exit() script immediately after the header redirect
error_log("after redirect");
Related
My main page call is 'www.xxxx/!#/hear-us'
I want to redirect the crawler to html version call hear-us.php
I used
<?php
if (strpos($_SERVER['HTTP_USER_AGENT'],"Googlebot")) {
header('Location: http://xxxx/hear-us.php');
}
?>
When the url is submitted to Google web master, it does not see the redirect.
You may want to add the actual redirect code in the header you're sending either by sending the Status header before the Location one or with:
header("Location: /foo.php", TRUE, 301);
Note, this is a permanent redirect, change the code as needed.
Also, a good practice is to call exit as soon as you send the headers, otherwise any output may modify (or garble) the message.
How do I redirect users and be sure that the HTTP_REFERER does not transfer to the next page after reaching a page called redirect.php.
The program flow is as follows:
1) On page at http://example.com/index.php (contains a link to redirect.php)
2) User click on the link to redirect.php and it sends the header('Location: http://otherlocation.com/index.php');
3) I need to prevent otherlocation.com from seeing the HTTP_REFERER from http://example.com/index.php
I have tried:
header('Location:redirect.php');
This does not work as HTTP_REFERER is populated with the value from the first page (http://example.com/index.php).
Fill up HTTP_REFERER depending by browser, not server-side
You may try redirect user by
<meta http-equiv="refresh" content="2;url=http://otherlocation.com/index.php" />
<script>document.location = 'http://otherlocation.com/index.php';</script>
browser not fill up HTTP_REFERER at this moment (IMHO)
At firefox this not work :(
You can use
header("Location:redirect.php");
or if you want some delay or countdown, you can use.
// 5 is the seconds of the delay to go to the page you've entered.
header("refresh: 5; redirect.php";
to redirect using PHP send a header request to the browser. try this.
header('Location:redirect.php',true,302);
exit;
The above code will set the HTTP_REFERRER trace to current page. hence deleting the trace from previous page.
I have an HTML page that I do not want to be available unless the login is successful. My login starts a session, however I don't know how to check for the session in the HTML and if the session exists I want to display the page, if not I want to display a unauthorised message. How can I do this?
You can't check for the session in the HTML per se you'd have to do it in PHP. Depending on how your page is built using PHP you could try putting something like this at the top of your HTML file:
<?php
if (!isset($_SESSION['my_login_var'])) {
echo 'Unauthorised';
exit();
}
?>
But you'd be far better off doing this earlier on in your PHP code, in which case you could use the header function to send the user to a proper 403 page.
UPDATE
Usually PHP does some processing before the HTML is outputted and the headers are sent to the connecting client, so you want to send a 403 header before that output happens. This could be in an included PHP file that is run before the HTML is built, or even in the HTML file itself if no other content has been outputted before the script reaches that point.
You can make a small adjustment to the code above to send a 403 header and 'properly' deny access to the page:
<?php
if (!isset($_SESSION['my_login_var'])) {
header('HTTP/1.1 403 Forbidden');
exit();
}
?>
You're going to need to look up PHP sessions. See http://us.php.net/manual/en/function.session-start.php for PHP session_start() documentation.
Basically you will need to do session_start(). If the login is successful, set a session variable like $_SESSION['logged_in'] = true;. Then do some logic on your page and redirect/display message depending on the result.
You should attempt something and come back and ask a more specific question if you have problems.
For example, here:
<?php
session_start();
if (!isset($_SESSION['is_logged_in'])) {
header("Location: login.php");
die();
}
?>
<Some HTML content>
Is die() really necessary here ?
Is die() really necessary here ?
It is: Otherwise, the client will still get the HTML code in the response body. The header asks the client to terminate and go to the new page, but it can't force it.
The client can always continue listening to the response, and receive everything output afterwards, which is a fatal security hole e.g. when protecting sensitive data in a login area.
Yes, die() is necessary. A call to header("Location: some-location.php") sends the specified header (a 302 redirect in this case) to the browser; but it DOES NOT terminate the script. It becomes more important if the lines after the redirect statement contains PHP code which may execute unintentionally. So if want to send the redirect header and abort any further processing you must call die, exit, return or any other similar construct.
Note that it is possible to perform further processing after sending the redirect header.
Yes. Simply generating a header, even the Location header, does not terminate the current script. The HTML output will be visible in e.g. a packet sniffer.
I found that: http://www.figured-it-out.com/figured-out.php?sid=181
So according to this it seems that some browsers just stop receiving the html content and redirect directly to the new page where other browsers like IE still wait untill the loading of the page is ready.
I am trying to redirect visitors to a site based on their referring url.
Here is the script:
php
$domain='blankds.com';
$referrer=$_SERVER['HTTP_REFERER'];
echo $referrer;
if (preg_match("/$domain/",$referrer)) {
header('Location: http://www.blackisgreen.org/page_1.php');
} else {
header('Location: http://www.blackisgreen.org/page_2.php');
};
Errors: I get a "Warning: cannot modify header" error because I am echoing $referrer before sending headers.
If I remove the echo the script does not work.
Any suggestions?
PHP is sending headers to the user requesting the page when you echo $referrer. The header function you are then calling attempts to modify these headers and affix a location redirect but cannot as the headers have already been sent along with the start of your page content.
To get around this problem, take a look at PHP's Output Control functions, especially ob_start(); which inserted at the top of your script should allow you to continue echoing the redirect location and allowing you to redirect at the same time.
Just as a note: Any output will auto-generate headers. If you want to redirect with headers you just need to comment out echo $referrer; If you need to see what referrer is going to which site for debugging purposes, just put it in the URL, the receiving page should ignore it.