Monthly Archives: September 2013


Location header is optional not mandatory

I thought I’d write a short post about this issue as I’ve seen it come up a couple of times in PHP code audits. The incorrect assumption is that the Location header somehow forces a browser or forces execution to move elsewhere. Take a look at the following code sample – <?php $logged_in = 0; /* Do login verification routine here */ if (!$logged_in) { /* User is not logged in and shouldn’t be here */ header("Location: /index.php"); } /* User is logged in */ echo "Secret Member Content"; ?> […]

By | September 13th, 2013|PHP, Security Consultant|0 Comments