code executed even after die();

[onedumbcoder]

I have a problem with my code.

 

I have something similar to this

 

 

session_start();
...
if($activesession)
{
header("Location: home.php");
die();
}

session_destroy();

 

the problem is that even though the if statement is true and it redirects the page, it still executes session_destroy()!

I have no idea why, anyone have a clue?

 

 

 

[cleibesouza]

Have you tried exit() ?

[PFMaBiSmAd]

Either the session_start() on the other page is not working or something else in your actual code is doing a session_destroy() or something else in your actual code is doing the redirect.

[onedumbcoder]

god sometimes im ultra dumb.... after sign up i was not setting the session variables so when it would go to the home page, it would redirect them back to the index page since technically there were never logged in.  :-\

[ldougherty]

Am I missing something, the logic says if the session is set to redirect the user with the header and you then have die after that.

 

Why would you expect it to ever get to the die statement when it is redirecting the user?

[gevans]

Why would you expect it to ever get to the die statement when it is redirecting the user?

 

 

The redirect is just a header. It will send the header then run the rest of the script if there is no die() or exit() statement.

[PFMaBiSmAd]

it is redirecting the user?

The it that is performing the redirect is the browser. Php happily continues executing the rest of the code on the page. A page "protected" by a log in check that does not prevent the rest of the code on that page from being executed is not protected against anything.

 

Here is a case where an admin panel was hacked by not preventing the code on its' pages from being executed - http://www.phpfreaks.com/forums/index.php/topic,258141.0.html If you have a form page, a form processing page, or a page with any kind of content, you only need to ignore the header() redirect and you can access the pages like there was no log in check present.