Header(“Location:”) Safe to use?

Question

I was wondering if what I'm using is safe:

    Header(“Location:”);

I want to use it like this: $user would be the user's session and 1 would mean admin. (Just an example.)

     if($user != 1){ 
     header("location: index.php"); }

So would this stop users from using that page, including downloading files, looking at the source of that page? Because my adminpanel is going to have downloads and also inserts for the homepage..

If it's not safe to use, or the way I'm using it. What should I use instead?

Thanks.

I suggest using `exit;` after the `header` statement. http://stackoverflow.com/questions/3553698/php-should-i-call-exit-after-calling-location-header — showdev, Apr 25 '13 at 17:40
I'm on a phone (so I can't give much of an explanation), but the browser doesn't see raw PHP. And call exit() after the header redirect. — Chris Forrence, Apr 25 '13 at 17:40
Everyone suggesting exit or die after the header has never unit-tested a redirect. — Mike B, Apr 25 '13 at 17:42
@MikeB Care to elaborate? I'm sure you have some useful information on the subject, but your comment doesn't reveal it. — showdev, Apr 25 '13 at 17:44
@showdev Unit tests run with PHP.. so if you call exit in your code your tests stop. Frameworks solve this by having a response object where you set headers and then send them without calling exit. Your tests can make assertions against the response object. — Mike B, Apr 25 '13 at 19:17
@MikeB Thanks. So as an amendment to my original comment, don't use `exit` if other code needs to execute after `header()`. — showdev, Apr 25 '13 at 19:42
@showdev Don't use exit if the problem you're solving is "You don't want code executing after the redirect and possibly showing something to the user that they shouldn't see". Your application has more serious problems if you need exit in this situation. — Mike B, Apr 25 '13 at 19:59

score 2 · Answer 1 · answered Apr 25 '13 at 17:39

2

Don't forget to die() after setting a Location header. That's what really stops people from using pages they're not supposed to.

answered Apr 25 '13 at 17:39

Niet the Dark Absol

320,036
81
464
592

score 2 · Accepted Answer · answered Apr 25 '13 at 17:42

2

header() is safe to use, but it means you have to include that call in every page you don’t want a non-admin to view.

A better way would be to have an authenticated user class that handles this. The benefit is, it DRYs your code.

<?php
class User
{
    public function __construct()
    {
        // create your user however, i.e. fetch a record from your database
    }    

    public function isAdmin()
    {
        return ($this->user->role == 'admin');
    }

    public function redirect()
    {
        header('Location: index.php');
        exit;
    }
}

And then use it in your code:

<?php

$user = new User();

if (!$user->isAdmin()) {
    $user->redirect();
}

// continue with your page as normal; user here is an admin

answered Apr 25 '13 at 17:42

Martin Bean

38,379
25
128
201

1

How is having to include `$user = new User(); if(!$user->isAdmin()) $user->redirect();` any easier than what they have now? – Niet the Dark Absol Apr 25 '13 at 17:50
Thanks for the info I got it now. :) – lepel100 Apr 25 '13 at 18:04
@Kolink Because if they want to redirect to a different URL then they’ve got to go through every instance and change the URL, rather than the just the URL in the one class method. – Martin Bean Apr 25 '13 at 20:07
Okay, I'll give you that, but personally I just start my file with `login()` and define that function in one place ;) – Niet the Dark Absol Apr 25 '13 at 21:42

score 1 · Answer 3 · answered Apr 25 '13 at 17:40

1

you need put exit; after header

answered Apr 25 '13 at 17:40

Ali Akbar Azizi

3,272
3
25
44

score 1 · Answer 4 · answered Apr 25 '13 at 17:41

I feel like a better way would be to exit the page and prevent any other code execution. I'm not sure but a user might be able to ignore header redirect requests if they wanted to.

I've always just added a little snippet like "Sorry, this is only available to Administrators" and then just return; or exit;

edit: great googly moogly you guys are quick to the draw.

score 1 · Answer 5 · answered Apr 25 '13 at 17:44

So what happens here is that by setting the Location tag, you are in fact giving back a HTTP 30x request, pointing the users browser to the new page. But it's in the hands of the browser to respect it. If the browser/user is malicious, he might just ignore it.

So you need to stop your output right after sending the Location header with die(). Than it's safe - the browser doesn't get any data it shouldn't get

score 0 · Answer 6 · answered Apr 25 '13 at 17:59

0

use die(header("Location:...")); kill the page

answered Apr 25 '13 at 17:59

chien pin wang

559
1
4
15

Header(“Location:”) Safe to use?

6 Answers6