tags:

views:

36

answers:

4

For example, here:

<?php
    session_start();

    if (!isset($_SESSION['is_logged_in'])) {
        header("Location: login.php");
        die();
    }
?>
<Some HTML content>

Is die() really necessary here ?

+4  A: 

Is die() really necessary here ?

It is: Otherwise, the client will still get the HTML code in the response body. The header asks the client to terminate and go to the new page, but it can't force it.

The client can always continue listening to the response, and receive everything output afterwards, which is a fatal security hole e.g. when protecting sensitive data in a login area.

Pekka
A: 

Yes. Simply generating a header, even the Location header, does not terminate the current script. The HTML output will be visible in e.g. a packet sniffer.

Ignacio Vazquez-Abrams
A: 

I found that: http://www.figured-it-out.com/figured-out.php?sid=181

So according to this it seems that some browsers just stop receiving the html content and redirect directly to the new page where other browsers like IE still wait untill the loading of the page is ready.

ITroubs
+1  A: 

Yes, die() is necessary. A call to header("Location: some-location.php") sends the specified header (a 302 redirect in this case) to the browser; but it DOES NOT terminate the script. It becomes more important if the lines after the redirect statement contains PHP code which may execute unintentionally. So if want to send the redirect header and abort any further processing you must call die, exit, return or any other similar construct.

Note that it is possible to perform further processing after sending the redirect header.

Salman A