redirect page to root path

Question

i have this class here and what im trying to do is, if the checking of something equals false then the user will be redirected to the root domain path. but its not working. here is the class

class security {
    function checkAuth() {
        if(isset($_COOKIE['AUTHID'])) {
            $cookie = $this->secure($_COOKIE['AUTHID']);
            $query = mysql_query("select username,password,active from tbl_users where password = '$cookie'") or die(mysql_error());
            while($row = mysql_fetch_assoc($query)) {
                //check if cookie is set
                if(!isset($_COOKIE['AUTHID'])) {
                    header("Location: ".realpath($_SERVER['HTTP_HOST']));
                }

                //check if user is active
                if($cookie == $row['password']) { 
                    if($row['active'] == '0') {
                        setcookie("AUTHID","",time() - 100000);
                        header("Location: ".realpath($_SERVER['HTTP_HOST']));
                    }
                    else { //user is active
                    }
                }
                //check if hash in cookie matches hash in db
                if($cookie != $row['password']) { 
                    setcookie("AUTHID","",time() - 100000);
                    header("Location: ".realpath($_SERVER['HTTP_HOST']));
                }
            }
        }
    }
}
?>

Answer 1

The realpath function is working on the file system and returns the canonicalized absolute file system path.

But what you need is an URI. So try this:

header("Location: http://".$_SERVER['HTTP_HOST']."/");
exit;

Answer 2

Why not simply:

header('Location: /');

Answer 3

From PHP doc:

'HTTP_HOST': Contents of the Host: header from the current request, if there is one.

It seems to me that this is a value sent from the client's browser and since a client can change request headers, I think it's better to use SERVER_NAME:

'SERVER_NAME' The name of the server host under which the current script is executing. If the script is running on a virtual host, this will be the value defined for that virtual host.

I therefor think the correct way to do it is:

header("Location: http://{$_SERVER['SERVER_NAME']}/");
die();

A comment to the "Location: /"

As stated in Header Field Definitions redirects via Location header should be given with an absolute URI including http://www.servername.com/redirect/to/this/resource.html, not simply /redirect/to/this/resource.html. (But it works redirecting to / too, but it isn't 100% correct).

Answer 4

1. I don't think its a good idea to redirect / directly output in a class for many reasons, the most important being that it defies the whole point of OO. Rather return false and have the calling script do the redirect.
2. You need to send the headers as the FIRST thing you do, header based redirection won't work if PHP has begun outputting text as the headers will have been sent already.

Try

$_SERVER['SCRIPT_URI'];

or

"http://" . $_SERVER['HTTP_HOST'];

And, yes, exit(); after sending that header.

Don't forget to send an appropriate 30x header response code too, for the redirection