Jump to content

Set Status Code Header(401) and Apache ErrorDocument Help


Go to solution Solved by benanamen,

Recommended Posts

Hey, not exactly new to php, but not a seasoned veteran either.  I have a page I manage, and I'm trying to get a nice error.php page to work which will print out a nice looking error based on the error code I am using.

 

I have a page on my site that I want to hide from non-admin users.  Currently I do this by using a function(isUserAdmin) which runs in the header, which does a check against a DB.  It grabs the user's id from the cookie, and then connects to mysql to see if the user is an admin.  It then sets a php variable adminString to either True or false.  This works and when I'm logged in I can see using FireFox Web Console, that as an admin user I get a 200, and as a non-admin user I get a 401 in the browser.

if($adminString == "False"){
     http_response_code(401);       
}

However, the page still displays.  In my apache httpd.conf, I have:

  #Define pages to load for certain http errors
  ErrorDocument 400 /error.php
  ErrorDocument 401 /error.php
  ErrorDocument 403 /error.php
  ErrorDocument 404 /error.php
  ErrorDocument 500 /error.php

That error.php page exists and seemingly works, b/c when I go to my site http://site.com/foo (which does not exist), I get my nice 404 page back in the browser.

 

How can I get php to trigger trigger the ErrorDocument through the web-server when I set the status code?

  • Solution

Try this:

if($adminString == "False"){
die(header("Location: /path_to_file/error.php"));
}

Another thing you could do is just redirect them back to your main page and not even show an error to the user.

Edited by benanamen

Silently redirecting to an error page is a bad idea, because that's simply not how the HTTP protocol works.

 

The status of the response is determined by the response code. If you do a redirect, that means: “Everything is fine, but the content is now at ...”. That's obviously nonsense in your case, because what you actually want to say is that the user isn't authorized to view the page (which is an error).

 

Sure, a human with good eyes will look at the page and figure out that your “Everything is fine” really means “You've made a mistake”, but

  • not every webclient is a human, and not all processing is done by humans
  • not every human has good eyes

So don't rely on clients to figure out the status from purely visual information. Always set the appropriate error code.

 

Unfortunately, Apache seems to have trouble showing the right error page when the response code is generated by PHP. As a workaround, I'd display the error page and at the same time use http_response_code(401):

<?php

http_response_code(401);
readfile('/path/to/custom/401/page');

(You can also define a function which automates those two steps.)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.