Redirecting with header, but http code is always 200
So, I have a page that checks if the user is logged in and if he isn't they are redirected to the error page with code 403. This is the code I use to redirect:
header('Location: /error.php', true, 403);
But, instead of redirecting it only sets the code to 403. And if I try:
header('HTTP/1.1 403 FORBIDDEN');
header('Location: /error.php');
Then it redirects, but the code is 200...
I'm really lost here and couldn't find anything that worked.
ps: this is my error.php page
<link rel="stylesheet" href="css/error.css">
<?php if (http_response_code() === 404) : ?>
<div class="error">404</div>
<br /><br />
<span class="info">File not found</span>
<img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
<?php elseif (http_response_code() === 403) : ?>
<div class="error">403</div>
<br /><br />
<span class="info">Unauthorized access</span>
<img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
<?php endif; ?>
php http
asked Nov 22 at 17:17
edmassarani
9418
add a comment |
So, I have a page that checks if the user is logged in and if he isn't they are redirected to the error page with code 403. This is the code I use to redirect:
header('Location: /error.php', true, 403);
But, instead of redirecting it only sets the code to 403. And if I try:
header('HTTP/1.1 403 FORBIDDEN');
header('Location: /error.php');
Then it redirects, but the code is 200...
I'm really lost here and couldn't find anything that worked.
ps: this is my error.php page
<link rel="stylesheet" href="css/error.css">
<?php if (http_response_code() === 404) : ?>
<div class="error">404</div>
<br /><br />
<span class="info">File not found</span>
<img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
<?php elseif (http_response_code() === 403) : ?>
<div class="error">403</div>
<br /><br />
<span class="info">Unauthorized access</span>
<img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
<?php endif; ?>
php http
asked Nov 22 at 17:17
edmassarani
9418
add a comment |
So, I have a page that checks if the user is logged in and if he isn't they are redirected to the error page with code 403. This is the code I use to redirect:
header('Location: /error.php', true, 403);
But, instead of redirecting it only sets the code to 403. And if I try:
header('HTTP/1.1 403 FORBIDDEN');
header('Location: /error.php');
Then it redirects, but the code is 200...
I'm really lost here and couldn't find anything that worked.
ps: this is my error.php page
<link rel="stylesheet" href="css/error.css">
<?php if (http_response_code() === 404) : ?>
<div class="error">404</div>
<br /><br />
<span class="info">File not found</span>
<img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
<?php elseif (http_response_code() === 403) : ?>
<div class="error">403</div>
<br /><br />
<span class="info">Unauthorized access</span>
<img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
<?php endif; ?>
php http
asked Nov 22 at 17:17
edmassarani
9418
So, I have a page that checks if the user is logged in and if he isn't they are redirected to the error page with code 403. This is the code I use to redirect:
header('Location: /error.php', true, 403);
But, instead of redirecting it only sets the code to 403. And if I try:
header('HTTP/1.1 403 FORBIDDEN');
header('Location: /error.php');
Then it redirects, but the code is 200...
I'm really lost here and couldn't find anything that worked.
ps: this is my error.php page
<link rel="stylesheet" href="css/error.css">
<?php if (http_response_code() === 404) : ?>
<div class="error">404</div>
<br /><br />
<span class="info">File not found</span>
<img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
<?php elseif (http_response_code() === 403) : ?>
<div class="error">403</div>
<br /><br />
<span class="info">Unauthorized access</span>
<img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
<?php endif; ?>
php http
php http
asked Nov 22 at 17:17
edmassarani
9418
asked Nov 22 at 17:17
edmassarani
9418
edited Nov 22 at 17:25
asked Nov 22 at 17:17
edmassarani
9418
asked Nov 22 at 17:17
edmassarani
9418
asked Nov 22 at 17:17
edmassarani
9418
9418
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
Don't use redirection, but script reuse.
Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.
Instead, use require to include the php script which should show information about an error to the user, without changing the URI.
if(detectedUserNotAllowed)
{
header('HTTP/1.1 403 FORBIDDEN');
require("error.php");
exit();
}
answered Nov 22 at 17:30
NineBerry
13.1k22858
true, that's a lot better. lol idk how i didn't think of that one, thanks
– edmassarani
Nov 22 at 17:36
add a comment |
From the docs:
From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.
http://php.net/manual/en/function.header.php
That being said, you can add the header in your error.php page
header("HTTP/1.0 403 Forbidden");
answered Nov 22 at 17:20
Felippe Duarte
10.3k21524
yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code
– edmassarani
Nov 22 at 17:23
Then create multiple errors page likeerror403.phperror500.phpand so on. These pages canincludeanother page code inside, after set the header.
– Felippe Duarte
Nov 22 at 17:24
i see, I thought it would be possible to do it this way, but I guess not :(
– edmassarani
Nov 22 at 17:25
add a comment |
You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.
https://httpd.apache.org/docs/2.4/mod/core.html#errordocument
EG -
ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}
in your Apache vhost config, or a .htaccess file.
Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -
Note that when you specify an ErrorDocument that points to a remote
URL (ie. anything with a method such as http in front of it), Apache
HTTP Server will send a redirect to the client to tell it where to
find the document, even if the document ends up being on the same
server. This has several implications, the most important being that
the client will not receive the original error status code, but
instead will receive a redirect status code. This in turn can confuse
web robots and other clients which try to determine if a URL is valid
using the status code. In addition, if you use a remote URL in an
ErrorDocument 401, the client will not know to prompt the user for a
password since it will not receive the 401 status code. Therefore, if
you use an ErrorDocument 401 directive, then it must refer to a local
document.
answered Nov 22 at 17:39
ivanivan
1,609258
add a comment |
You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.
This is found in RFC 7231:
For 3xx (Redirection) responses, the Location value refers to the
preferred target resource for automatically redirecting the
request.
answered Nov 22 at 17:24
maio290
1,605414
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53435718%2fredirecting-with-header-but-http-code-is-always-200%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Don't use redirection, but script reuse.
Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.
Instead, use require to include the php script which should show information about an error to the user, without changing the URI.
if(detectedUserNotAllowed)
{
header('HTTP/1.1 403 FORBIDDEN');
require("error.php");
exit();
}
answered Nov 22 at 17:30
NineBerry
13.1k22858
true, that's a lot better. lol idk how i didn't think of that one, thanks
– edmassarani
Nov 22 at 17:36
add a comment |
Don't use redirection, but script reuse.
Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.
Instead, use require to include the php script which should show information about an error to the user, without changing the URI.
if(detectedUserNotAllowed)
{
header('HTTP/1.1 403 FORBIDDEN');
require("error.php");
exit();
}
answered Nov 22 at 17:30
NineBerry
13.1k22858
true, that's a lot better. lol idk how i didn't think of that one, thanks
– edmassarani
Nov 22 at 17:36
add a comment |
Don't use redirection, but script reuse.
Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.
Instead, use require to include the php script which should show information about an error to the user, without changing the URI.
if(detectedUserNotAllowed)
{
header('HTTP/1.1 403 FORBIDDEN');
require("error.php");
exit();
}
answered Nov 22 at 17:30
NineBerry
13.1k22858
Don't use redirection, but script reuse.
Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.
Instead, use require to include the php script which should show information about an error to the user, without changing the URI.
if(detectedUserNotAllowed)
{
header('HTTP/1.1 403 FORBIDDEN');
require("error.php");
exit();
}
answered Nov 22 at 17:30
NineBerry
13.1k22858
answered Nov 22 at 17:30
NineBerry
13.1k22858
answered Nov 22 at 17:30
NineBerry
13.1k22858
answered Nov 22 at 17:30
NineBerry
13.1k22858
13.1k22858
true, that's a lot better. lol idk how i didn't think of that one, thanks
– edmassarani
Nov 22 at 17:36
add a comment |
true, that's a lot better. lol idk how i didn't think of that one, thanks
– edmassarani
Nov 22 at 17:36
true, that's a lot better. lol idk how i didn't think of that one, thanks
– edmassarani
Nov 22 at 17:36
true, that's a lot better. lol idk how i didn't think of that one, thanks
– edmassarani
Nov 22 at 17:36
add a comment |
From the docs:
From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.
http://php.net/manual/en/function.header.php
That being said, you can add the header in your error.php page
header("HTTP/1.0 403 Forbidden");
answered Nov 22 at 17:20
Felippe Duarte
10.3k21524
yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code
– edmassarani
Nov 22 at 17:23
Then create multiple errors page likeerror403.phperror500.phpand so on. These pages canincludeanother page code inside, after set the header.
– Felippe Duarte
Nov 22 at 17:24
i see, I thought it would be possible to do it this way, but I guess not :(
– edmassarani
Nov 22 at 17:25
add a comment |
From the docs:
From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.
http://php.net/manual/en/function.header.php
That being said, you can add the header in your error.php page
header("HTTP/1.0 403 Forbidden");
answered Nov 22 at 17:20
Felippe Duarte
10.3k21524
yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code
– edmassarani
Nov 22 at 17:23
Then create multiple errors page likeerror403.phperror500.phpand so on. These pages canincludeanother page code inside, after set the header.
– Felippe Duarte
Nov 22 at 17:24
i see, I thought it would be possible to do it this way, but I guess not :(
– edmassarani
Nov 22 at 17:25
add a comment |
From the docs:
From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.
http://php.net/manual/en/function.header.php
That being said, you can add the header in your error.php page
header("HTTP/1.0 403 Forbidden");
answered Nov 22 at 17:20
Felippe Duarte
10.3k21524
From the docs:
From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.
http://php.net/manual/en/function.header.php
That being said, you can add the header in your error.php page
header("HTTP/1.0 403 Forbidden");
answered Nov 22 at 17:20
Felippe Duarte
10.3k21524
answered Nov 22 at 17:20
Felippe Duarte
10.3k21524
answered Nov 22 at 17:20
Felippe Duarte
10.3k21524
answered Nov 22 at 17:20
Felippe Duarte
10.3k21524
10.3k21524
yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code
– edmassarani
Nov 22 at 17:23
Then create multiple errors page likeerror403.phperror500.phpand so on. These pages canincludeanother page code inside, after set the header.
– Felippe Duarte
Nov 22 at 17:24
i see, I thought it would be possible to do it this way, but I guess not :(
– edmassarani
Nov 22 at 17:25
add a comment |
yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code
– edmassarani
Nov 22 at 17:23
Then create multiple errors page likeerror403.phperror500.phpand so on. These pages canincludeanother page code inside, after set the header.
– Felippe Duarte
Nov 22 at 17:24
i see, I thought it would be possible to do it this way, but I guess not :(
– edmassarani
Nov 22 at 17:25
yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code
– edmassarani
Nov 22 at 17:23
yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code
– edmassarani
Nov 22 at 17:23
Then create multiple errors page like
error403.php error500.php and so on. These pages can include another page code inside, after set the header.– Felippe Duarte
Nov 22 at 17:24
Then create multiple errors page like
error403.php error500.php and so on. These pages can include another page code inside, after set the header.– Felippe Duarte
Nov 22 at 17:24
i see, I thought it would be possible to do it this way, but I guess not :(
– edmassarani
Nov 22 at 17:25
i see, I thought it would be possible to do it this way, but I guess not :(
– edmassarani
Nov 22 at 17:25
add a comment |
You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.
https://httpd.apache.org/docs/2.4/mod/core.html#errordocument
EG -
ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}
in your Apache vhost config, or a .htaccess file.
Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -
Note that when you specify an ErrorDocument that points to a remote
URL (ie. anything with a method such as http in front of it), Apache
HTTP Server will send a redirect to the client to tell it where to
find the document, even if the document ends up being on the same
server. This has several implications, the most important being that
the client will not receive the original error status code, but
instead will receive a redirect status code. This in turn can confuse
web robots and other clients which try to determine if a URL is valid
using the status code. In addition, if you use a remote URL in an
ErrorDocument 401, the client will not know to prompt the user for a
password since it will not receive the 401 status code. Therefore, if
you use an ErrorDocument 401 directive, then it must refer to a local
document.
answered Nov 22 at 17:39
ivanivan
1,609258
add a comment |
You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.
https://httpd.apache.org/docs/2.4/mod/core.html#errordocument
EG -
ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}
in your Apache vhost config, or a .htaccess file.
Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -
Note that when you specify an ErrorDocument that points to a remote
URL (ie. anything with a method such as http in front of it), Apache
HTTP Server will send a redirect to the client to tell it where to
find the document, even if the document ends up being on the same
server. This has several implications, the most important being that
the client will not receive the original error status code, but
instead will receive a redirect status code. This in turn can confuse
web robots and other clients which try to determine if a URL is valid
using the status code. In addition, if you use a remote URL in an
ErrorDocument 401, the client will not know to prompt the user for a
password since it will not receive the 401 status code. Therefore, if
you use an ErrorDocument 401 directive, then it must refer to a local
document.
answered Nov 22 at 17:39
ivanivan
1,609258
add a comment |
You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.
https://httpd.apache.org/docs/2.4/mod/core.html#errordocument
EG -
ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}
in your Apache vhost config, or a .htaccess file.
Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -
Note that when you specify an ErrorDocument that points to a remote
URL (ie. anything with a method such as http in front of it), Apache
HTTP Server will send a redirect to the client to tell it where to
find the document, even if the document ends up being on the same
server. This has several implications, the most important being that
the client will not receive the original error status code, but
instead will receive a redirect status code. This in turn can confuse
web robots and other clients which try to determine if a URL is valid
using the status code. In addition, if you use a remote URL in an
ErrorDocument 401, the client will not know to prompt the user for a
password since it will not receive the 401 status code. Therefore, if
you use an ErrorDocument 401 directive, then it must refer to a local
document.
answered Nov 22 at 17:39
ivanivan
1,609258
You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.
https://httpd.apache.org/docs/2.4/mod/core.html#errordocument
EG -
ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}
in your Apache vhost config, or a .htaccess file.
Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -
Note that when you specify an ErrorDocument that points to a remote
URL (ie. anything with a method such as http in front of it), Apache
HTTP Server will send a redirect to the client to tell it where to
find the document, even if the document ends up being on the same
server. This has several implications, the most important being that
the client will not receive the original error status code, but
instead will receive a redirect status code. This in turn can confuse
web robots and other clients which try to determine if a URL is valid
using the status code. In addition, if you use a remote URL in an
ErrorDocument 401, the client will not know to prompt the user for a
password since it will not receive the 401 status code. Therefore, if
you use an ErrorDocument 401 directive, then it must refer to a local
document.
answered Nov 22 at 17:39
ivanivan
1,609258
answered Nov 22 at 17:39
ivanivan
1,609258
answered Nov 22 at 17:39
ivanivan
1,609258
answered Nov 22 at 17:39
ivanivan
1,609258
1,609258
add a comment |
add a comment |
You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.
This is found in RFC 7231:
For 3xx (Redirection) responses, the Location value refers to the
preferred target resource for automatically redirecting the
request.
answered Nov 22 at 17:24
maio290
1,605414
add a comment |
You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.
This is found in RFC 7231:
For 3xx (Redirection) responses, the Location value refers to the
preferred target resource for automatically redirecting the
request.
answered Nov 22 at 17:24
maio290
1,605414
add a comment |
You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.
This is found in RFC 7231:
For 3xx (Redirection) responses, the Location value refers to the
preferred target resource for automatically redirecting the
request.
answered Nov 22 at 17:24
maio290
1,605414
You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.
This is found in RFC 7231:
For 3xx (Redirection) responses, the Location value refers to the
preferred target resource for automatically redirecting the
request.
answered Nov 22 at 17:24
maio290
1,605414
answered Nov 22 at 17:24
maio290
1,605414
answered Nov 22 at 17:24
maio290
1,605414
answered Nov 22 at 17:24
maio290
1,605414
1,605414
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53435718%2fredirecting-with-header-but-http-code-is-always-200%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
