Is header() safe? If not what's the best alternative?

Question

I am making a PHP authentication system where the user is required to login again to proof that they own that account (for security reasons obviously).

Anyway once they enter the correct account info I then want to redirect to a page anyway the question is is it true that using the PHP header(Location '...') function increase security flaws?

Some people say that hackers can hi jack the header not sure if this is true as I have seen software such as MyBB use header?

If it is, what would be the safest way to redirect a user?

The `header` will only happen if the correct credentials were entered. I doubt very much that a potential hacker can have access to it unless the account was compromised. — Funk Forty Niner, Apr 07 '14 at 13:04
Ok, Thanks ;) I be adding features to try and event users accounts from getting compromised some say the hacker could change the url path aswill — user279297, Apr 07 '14 at 13:08
Possible duplicate of [How to avoid HTTP Header Injection (new lines characters)](https://stackoverflow.com/questions/11363159/how-to-avoid-http-header-injection-new-lines-characters) — Donald Duck, Nov 26 '18 at 12:10

score 2 · Answer 1 · answered Apr 07 '14 at 13:07

2

Header is fine, and hackers wont be able to "hack" your header. Just never use javascript redirect. When you use javascript redirect, people can turn it off, and your redirect and code doesnt work anymore -> huge security flaws.

answered Apr 07 '14 at 13:07

Xatenev

6,383
3
18
42

score 0 · Answer 2 · answered Apr 07 '14 at 13:12

Header function itself is just irrelevant to security.

It is unclear from your question what you are asking for, as you intermixed everything, so, here are some guidelines

headers that can be hijacked are client headers. While you are sending server one.
what you have to secure is a destination script, which have to use session variable to identify client.
when you are using header to stop someone from accessing a page, this would be insecure. Every time you are sending a header that is supposed to send client to a different page, it have to be always followed by exit

Ok thanks for all the replies ;) I will be careful when using Location header then ;) — user279297, Apr 15 '14 at 04:16

score 0 · Answer 3 · edited May 23 '17 at 11:43

If it is a user controlled Location header value then there could be a vulnerability.

e.g.

Regarding header injection, from the PHP doc:-

(since [PHP] 4.4.2 and 5.1.2) This function now prevents more than one header to be sent at once as a protection against header injection attacks.

source here.

For unvalidated redirects or forwards, say you had a page URL with another URL as a query string parameter. e.g.

http://www.example.com/redirect.php?url=account.php

If your script blindly redirected to account.php then an attacker could email a URL to their victim in the form

http://www.example.com/redirect.php?url=http://www.evil.com

or obfuscated as

http://www.example.com/redirect.php?url=%68%74%74%70%3a%2f%2f%77%77%77%2e%65%76%69%6c%2e%63%6f%6d

if a user checks the domain before clicking, it appears to go to your www.example.com website and appears safe, however as the page redirects to the attacker it is not and it could be a phishing attempt. If they make evil.com look like example.com then an unwitting user may not notice until it is too late and they have already entered their credentails.

In your case it looks like the Location is not user controlled, so you should not be vulnerable to these attacks. However, make sure you call exit after setting the header so you are not outputting extra unintended content that an attacker may use to their advantage.

Is header() safe? If not what's the best alternative?

3 Answers3