There’s a trick where you can bypass Location headers.
It’s quite easy because if you look at how the HTTP protocol works, you’ll see that a location redirect is just a header that gets sent to the browser. This way your browser will handle the redirection by itself, which is pretty normal.
Now there are a lot of bad coding practices, and I’ll show you how easy it is to bypass them and to protect yourself against it.
Let’s take this snippet for example:
$loggedIn = false;
if ($loggedIn !== true) {
header('Location: /login');
}
echo "Welcome to your user control panel.";
You might think that this is as foolproof as it gets, but that’s not the case.
Let’s look at our request through Fiddler:
That looks pretty normal right? When I navigated to the page I didn’t see anything that was on test.php, and I ended up at /login
through a 302 redirect.
But here comes the fun part, let’s look at the actual HTTP response we got from the server (for the test.php request):
As you can see, the header by itself does not protect anything. And you can easily see stuff that you aren’t supposed to.
A safe fix would be to die()
or exit()
right after setting the header:
header('Location: /login');
die();
This makes the response look like:
Which is far more safer. 🙂
The lesson is that this header does not make the server side application redirect. Instead the header is added to the output and tells the browser it should redirect. Which a browser can ignore.
It's also important to not put output anything (sensitive) before setting headers in PHP.