Function still executes from link without active session

Question

I got some code that executes with value's inside a $_GET and some code that checks for an active session. Yet, when I go to the link directly without active session it still executes the function and after that returns to the login page.

My code:

My loginheader:

<?php
session_start();
if (!isset($_SESSION['Username'])|| $_SESSION["Actief"] == 0|| 
    $_SESSION["Actief"] == 2) {
    return header("Location: main_login.php");
    exit();
}

My webpage (only the needed code):

require "../loginheader.php";
require "../AdminOnlyHeader.php";
// --some code with sql instructions--
$result = ExecuteQuery($sql);`

AdminOnlyHeader is just to check for admin status. This too seems to be bypassed by just entering a link.

So if you still don't understand what I mean, here's a short summary of what I do:

1. I make one of those links that contain the get data needed to execute it;
2. I log out and get returned to the login page;
3. I enter the the link I made before;
4. After some loading I am still on the login page but when I look at my database I see that the record has been updated and thus the function (ExecuteQuery) was executed.

Answer 1

Remove return from

return header("Location: main_login.php");

We need two references to understand this:

• Return part:

If called from the global scope, then execution of the current script file is ended. If the current script file was included or required, then control is passed back to the calling file.

• Header part:

If you redirect but you don't die() / exit() the code is always executed and displayed.

---

Basically, since you returned, it won't reach the exit() part, meaning that it will return the execution to the main script - the one with the function that shouldn't be executed in this circumstance.