Simple 1 line header() issue

[coupe-r]

Hi All,

 

I'm trying to debug my first few lines of PHP where I have all my "checks" to make sure someone is logged in. 

 

I have this code all by itself and it is still not executing.  This is the only page that I'm having trouble with.

 

header('Location: login.php?logout=1');

[revraz]

With just that bit of code, we really can't tell you what is wrong.

 

Is login.php on the same directory level as the script?

[coupe-r]

This is the only code that should be executing.  I can do:

 

echo 'HERE';

 

Right above or below the header() code and it works fine, but anything with a header() function does not work.  I could have that header(); function on the 2nd line and it still doesn't work.

[Garethp]

There should be NO output (via echo or lack of PHP tags) before the header command. If there's ANYTHING (even whitespace before <?php) it won't work. Header alters the information sent to the browser, but if anything is outputed before the header command, the http headers have already been sent, so it can't be altered

[coupe-r]

Here is just the top of my PHP:

 

<?php
session_start();
require_once("../../connect.php");
require_once('../../config.php');
require_once("../functions/functions.js");
require_once('../class/mcrypt.class.php5');
date_default_timezone_set('America/New_York');

// VALIDATE LOGIN CREDENTIALS
if($_SESSION['time'] < time() - (60*60))	{header('Location:'.SITE_root.'login.php?logout=1');}
else{$_SESSION['time'] = time();	mysql_query("UPDATE sessions SET last_updated = '".time()."' WHERE session = '".$_SESSION['session']."'");}
$result = mysql_query("SELECT COUNT(*) FROM sessions WHERE session = '".$_SESSION['session']."' AND ip = '".$_SESSION['ip']."' AND user_id = '".$_SESSION['user_id']."' AND client_id = '".$_SESSION['client_id']."'");
$row = mysql_fetch_row($result);
if($row['0'] < 1)	{header('Location: '.SITE_root.'login.php?logout=1');}
if(!isset($_SESSION['firstname']) || $_SESSION['type'] != '1' && $_SESSION['type'] != '2')	{header('Location:'.SITE_root.'login.php?logout=1');}
if(!isset($_GET['id']))	{header('Location: index.php');}


header('Location: login.php?logout=1');

 

That entire top part is not working, because it should kick them out to the main login page.  To debug it, I just added that last header() code to kick them out no matter what, but that isn't even working.  But it does work if I try it on another page.  I'm clueless here...

[Garethp]

require_once("../functions/functions.js");

 

You're echoing JS into the script before using Header. That's why it's not working

[coupe-r]

I just commented out //require_once("../functions/functions.js"); and it still doesn't work

 

I can also move that header() code right under <?php and it doesn't work, so I dont think its echoing anything.

[Garethp]

Check all the files you required once and make sure that you haven't echoed anything or left anything out of PHP tags or anything. Also, it might help to make PHP show all errors http://snippets.dzone.com/posts/show/1718 Also, read the sticky on this forum, you should have read it before you posted

[PFMaBiSmAd]

You should be developing and debugging your code on a system with error_reporting set to E_ALL and display_errors set to ON in your master php.ini so that php will help you by reporting and display9ng all the php errors that occur in your code. You will save a TON of time.

[coupe-r]

I am not new to this.  Error reporting is on and there are errors on the page.  They all pertain to variables that should be set on successful login, which is what the first part of my PHP code checks for.  For simplicity, I just added that small header() code to see if it would kick me out of the current page and it doesn't.  There are 0 errors pertaining to the header() code.

[PFMaBiSmAd]

Is your error_reporting really set to E_ALL or greater? Have you actually checked what it is using a phpinfo() statement?

 

If a header() redirect doesn't work, either YOU ARE sending output before it, in which case there would be Warning message OR you are redirecting back to the same page where your header() statement is at.

 

You also need an exit; statement after just about every one of the header() redirects in the code you posted to prevent the remainder of the code on the page from being executed while the browser performs the redirect. All a hacker needs to do in ignore the redirect your code is sending and he can access the 'protected' content on your pages because php continues executing the code on a page until it reached the end of the page or it reaches an exit/die statement.

 

Edit: Also, if you are doing this on a system with output_buffering turned on in your php.ini, you won't see any errors on the page from the error_reporting/display_errors settings when there is an action that clears the buffer.