ansaurus

Question

Problem with session_start(), ob_start() and security

Answer 1

+4 A:

Put an ob_end_clean and exit after the header call to prevent any further execution/output:

if (!isset($_SESSION['user'])) {
    header("Location: login.php");
    ob_end_clean();
    exit;
}

Gumbo 2010-06-27 21:18:43

Answer 2

+8 A:

Abra kadabra

if(!isset($_SESSION['user'])){
    header("Location: login.php");
    die("GET LOST YO");
}

Robus 2010-06-27 21:18:58

Better without the message, but killing the script fixed the problem easily.

animuson 2010-06-27 21:28:01

*Shrug*, browsers shouldnt see this anyway, since you're getting redirected. And if somebody's sneaky then... well, you just told him to get lost, as he always should have :P

Robus 2010-06-27 21:29:53

Even though it doesn't matter in this case it's still not a good idea to use `die()` anywhere in a website.

Gnarly 2010-06-27 23:04:51

@Gnarly It's the same really http://pl.php.net/die

Robus 2010-06-27 23:10:10

The same as what? What are you talking about?

Gnarly 2010-06-27 23:53:38

@Gnarly Uh, thought you were criticizing die() in favor of exit(). Never mind then :P

Robus 2010-06-28 00:09:05

Answer 3

+1 A:

You should make all script content in IF.

session_start(); 
ob_start();
if(isset($_SESSION['user'])){
    contents...
}
else {
    header("Location: login.php");
ob_end_flush();

Alexander.Plutov 2010-06-27 21:21:04

ansaurus

tags:

views:

answers:

Problem with session_start(), ob_start() and security

related questions