Redirecting with header, but http code is always 200











up vote
2
down vote

favorite












So, I have a page that checks if the user is logged in and if he isn't they are redirected to the error page with code 403. This is the code I use to redirect:



header('Location: /error.php', true, 403);


But, instead of redirecting it only sets the code to 403. And if I try:



header('HTTP/1.1 403 FORBIDDEN');
header('Location: /error.php');


Then it redirects, but the code is 200...
I'm really lost here and couldn't find anything that worked.



ps: this is my error.php page



<link rel="stylesheet" href="css/error.css">
<?php if (http_response_code() === 404) : ?>
<div class="error">404</div>
<br /><br />
<span class="info">File not found</span>
<img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
<?php elseif (http_response_code() === 403) : ?>
<div class="error">403</div>
<br /><br />
<span class="info">Unauthorized access</span>
<img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
<?php endif; ?>









share|improve this question




























    up vote
    2
    down vote

    favorite












    So, I have a page that checks if the user is logged in and if he isn't they are redirected to the error page with code 403. This is the code I use to redirect:



    header('Location: /error.php', true, 403);


    But, instead of redirecting it only sets the code to 403. And if I try:



    header('HTTP/1.1 403 FORBIDDEN');
    header('Location: /error.php');


    Then it redirects, but the code is 200...
    I'm really lost here and couldn't find anything that worked.



    ps: this is my error.php page



    <link rel="stylesheet" href="css/error.css">
    <?php if (http_response_code() === 404) : ?>
    <div class="error">404</div>
    <br /><br />
    <span class="info">File not found</span>
    <img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
    <?php elseif (http_response_code() === 403) : ?>
    <div class="error">403</div>
    <br /><br />
    <span class="info">Unauthorized access</span>
    <img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
    <?php endif; ?>









    share|improve this question


























      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      So, I have a page that checks if the user is logged in and if he isn't they are redirected to the error page with code 403. This is the code I use to redirect:



      header('Location: /error.php', true, 403);


      But, instead of redirecting it only sets the code to 403. And if I try:



      header('HTTP/1.1 403 FORBIDDEN');
      header('Location: /error.php');


      Then it redirects, but the code is 200...
      I'm really lost here and couldn't find anything that worked.



      ps: this is my error.php page



      <link rel="stylesheet" href="css/error.css">
      <?php if (http_response_code() === 404) : ?>
      <div class="error">404</div>
      <br /><br />
      <span class="info">File not found</span>
      <img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
      <?php elseif (http_response_code() === 403) : ?>
      <div class="error">403</div>
      <br /><br />
      <span class="info">Unauthorized access</span>
      <img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
      <?php endif; ?>









      share|improve this question















      So, I have a page that checks if the user is logged in and if he isn't they are redirected to the error page with code 403. This is the code I use to redirect:



      header('Location: /error.php', true, 403);


      But, instead of redirecting it only sets the code to 403. And if I try:



      header('HTTP/1.1 403 FORBIDDEN');
      header('Location: /error.php');


      Then it redirects, but the code is 200...
      I'm really lost here and couldn't find anything that worked.



      ps: this is my error.php page



      <link rel="stylesheet" href="css/error.css">
      <?php if (http_response_code() === 404) : ?>
      <div class="error">404</div>
      <br /><br />
      <span class="info">File not found</span>
      <img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
      <?php elseif (http_response_code() === 403) : ?>
      <div class="error">403</div>
      <br /><br />
      <span class="info">Unauthorized access</span>
      <img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
      <?php endif; ?>






      php http






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 22 at 17:25

























      asked Nov 22 at 17:17









      edmassarani

      9418




      9418
























          4 Answers
          4






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          Don't use redirection, but script reuse.



          Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.



          Instead, use require to include the php script which should show information about an error to the user, without changing the URI.



          if(detectedUserNotAllowed)
          {
          header('HTTP/1.1 403 FORBIDDEN');
          require("error.php");
          exit();
          }





          share|improve this answer





















          • true, that's a lot better. lol idk how i didn't think of that one, thanks
            – edmassarani
            Nov 22 at 17:36




















          up vote
          3
          down vote













          From the docs:




          From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.




          http://php.net/manual/en/function.header.php



          That being said, you can add the header in your error.php page



          header("HTTP/1.0 403 Forbidden");





          share|improve this answer





















          • yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code
            – edmassarani
            Nov 22 at 17:23










          • Then create multiple errors page like error403.php error500.php and so on. These pages can include another page code inside, after set the header.
            – Felippe Duarte
            Nov 22 at 17:24










          • i see, I thought it would be possible to do it this way, but I guess not :(
            – edmassarani
            Nov 22 at 17:25


















          up vote
          1
          down vote













          You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.



          https://httpd.apache.org/docs/2.4/mod/core.html#errordocument



          EG -



          ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}


          in your Apache vhost config, or a .htaccess file.



          Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -




          Note that when you specify an ErrorDocument that points to a remote
          URL (ie. anything with a method such as http in front of it), Apache
          HTTP Server will send a redirect to the client to tell it where to
          find the document, even if the document ends up being on the same
          server. This has several implications, the most important being that
          the client will not receive the original error status code, but
          instead will receive a redirect status code. This in turn can confuse
          web robots and other clients which try to determine if a URL is valid
          using the status code. In addition, if you use a remote URL in an
          ErrorDocument 401, the client will not know to prompt the user for a
          password since it will not receive the 401 status code. Therefore, if
          you use an ErrorDocument 401 directive, then it must refer to a local
          document.







          share|improve this answer




























            up vote
            0
            down vote













            You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.



            This is found in RFC 7231:




            For 3xx (Redirection) responses, the Location value refers to the
            preferred target resource for automatically redirecting the
            request.







            share|improve this answer





















              Your Answer






              StackExchange.ifUsing("editor", function () {
              StackExchange.using("externalEditor", function () {
              StackExchange.using("snippets", function () {
              StackExchange.snippets.init();
              });
              });
              }, "code-snippets");

              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "1"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53435718%2fredirecting-with-header-but-http-code-is-always-200%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              4 Answers
              4






              active

              oldest

              votes








              4 Answers
              4






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              2
              down vote



              accepted










              Don't use redirection, but script reuse.



              Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.



              Instead, use require to include the php script which should show information about an error to the user, without changing the URI.



              if(detectedUserNotAllowed)
              {
              header('HTTP/1.1 403 FORBIDDEN');
              require("error.php");
              exit();
              }





              share|improve this answer





















              • true, that's a lot better. lol idk how i didn't think of that one, thanks
                – edmassarani
                Nov 22 at 17:36

















              up vote
              2
              down vote



              accepted










              Don't use redirection, but script reuse.



              Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.



              Instead, use require to include the php script which should show information about an error to the user, without changing the URI.



              if(detectedUserNotAllowed)
              {
              header('HTTP/1.1 403 FORBIDDEN');
              require("error.php");
              exit();
              }





              share|improve this answer





















              • true, that's a lot better. lol idk how i didn't think of that one, thanks
                – edmassarani
                Nov 22 at 17:36















              up vote
              2
              down vote



              accepted







              up vote
              2
              down vote



              accepted






              Don't use redirection, but script reuse.



              Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.



              Instead, use require to include the php script which should show information about an error to the user, without changing the URI.



              if(detectedUserNotAllowed)
              {
              header('HTTP/1.1 403 FORBIDDEN');
              require("error.php");
              exit();
              }





              share|improve this answer












              Don't use redirection, but script reuse.



              Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.



              Instead, use require to include the php script which should show information about an error to the user, without changing the URI.



              if(detectedUserNotAllowed)
              {
              header('HTTP/1.1 403 FORBIDDEN');
              require("error.php");
              exit();
              }






              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Nov 22 at 17:30









              NineBerry

              13.1k22858




              13.1k22858












              • true, that's a lot better. lol idk how i didn't think of that one, thanks
                – edmassarani
                Nov 22 at 17:36




















              • true, that's a lot better. lol idk how i didn't think of that one, thanks
                – edmassarani
                Nov 22 at 17:36


















              true, that's a lot better. lol idk how i didn't think of that one, thanks
              – edmassarani
              Nov 22 at 17:36






              true, that's a lot better. lol idk how i didn't think of that one, thanks
              – edmassarani
              Nov 22 at 17:36














              up vote
              3
              down vote













              From the docs:




              From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.




              http://php.net/manual/en/function.header.php



              That being said, you can add the header in your error.php page



              header("HTTP/1.0 403 Forbidden");





              share|improve this answer





















              • yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code
                – edmassarani
                Nov 22 at 17:23










              • Then create multiple errors page like error403.php error500.php and so on. These pages can include another page code inside, after set the header.
                – Felippe Duarte
                Nov 22 at 17:24










              • i see, I thought it would be possible to do it this way, but I guess not :(
                – edmassarani
                Nov 22 at 17:25















              up vote
              3
              down vote













              From the docs:




              From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.




              http://php.net/manual/en/function.header.php



              That being said, you can add the header in your error.php page



              header("HTTP/1.0 403 Forbidden");





              share|improve this answer





















              • yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code
                – edmassarani
                Nov 22 at 17:23










              • Then create multiple errors page like error403.php error500.php and so on. These pages can include another page code inside, after set the header.
                – Felippe Duarte
                Nov 22 at 17:24










              • i see, I thought it would be possible to do it this way, but I guess not :(
                – edmassarani
                Nov 22 at 17:25













              up vote
              3
              down vote










              up vote
              3
              down vote









              From the docs:




              From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.




              http://php.net/manual/en/function.header.php



              That being said, you can add the header in your error.php page



              header("HTTP/1.0 403 Forbidden");





              share|improve this answer












              From the docs:




              From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.




              http://php.net/manual/en/function.header.php



              That being said, you can add the header in your error.php page



              header("HTTP/1.0 403 Forbidden");






              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Nov 22 at 17:20









              Felippe Duarte

              10.2k21524




              10.2k21524












              • yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code
                – edmassarani
                Nov 22 at 17:23










              • Then create multiple errors page like error403.php error500.php and so on. These pages can include another page code inside, after set the header.
                – Felippe Duarte
                Nov 22 at 17:24










              • i see, I thought it would be possible to do it this way, but I guess not :(
                – edmassarani
                Nov 22 at 17:25


















              • yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code
                – edmassarani
                Nov 22 at 17:23










              • Then create multiple errors page like error403.php error500.php and so on. These pages can include another page code inside, after set the header.
                – Felippe Duarte
                Nov 22 at 17:24










              • i see, I thought it would be possible to do it this way, but I guess not :(
                – edmassarani
                Nov 22 at 17:25
















              yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code
              – edmassarani
              Nov 22 at 17:23




              yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code
              – edmassarani
              Nov 22 at 17:23












              Then create multiple errors page like error403.php error500.php and so on. These pages can include another page code inside, after set the header.
              – Felippe Duarte
              Nov 22 at 17:24




              Then create multiple errors page like error403.php error500.php and so on. These pages can include another page code inside, after set the header.
              – Felippe Duarte
              Nov 22 at 17:24












              i see, I thought it would be possible to do it this way, but I guess not :(
              – edmassarani
              Nov 22 at 17:25




              i see, I thought it would be possible to do it this way, but I guess not :(
              – edmassarani
              Nov 22 at 17:25










              up vote
              1
              down vote













              You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.



              https://httpd.apache.org/docs/2.4/mod/core.html#errordocument



              EG -



              ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}


              in your Apache vhost config, or a .htaccess file.



              Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -




              Note that when you specify an ErrorDocument that points to a remote
              URL (ie. anything with a method such as http in front of it), Apache
              HTTP Server will send a redirect to the client to tell it where to
              find the document, even if the document ends up being on the same
              server. This has several implications, the most important being that
              the client will not receive the original error status code, but
              instead will receive a redirect status code. This in turn can confuse
              web robots and other clients which try to determine if a URL is valid
              using the status code. In addition, if you use a remote URL in an
              ErrorDocument 401, the client will not know to prompt the user for a
              password since it will not receive the 401 status code. Therefore, if
              you use an ErrorDocument 401 directive, then it must refer to a local
              document.







              share|improve this answer

























                up vote
                1
                down vote













                You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.



                https://httpd.apache.org/docs/2.4/mod/core.html#errordocument



                EG -



                ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}


                in your Apache vhost config, or a .htaccess file.



                Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -




                Note that when you specify an ErrorDocument that points to a remote
                URL (ie. anything with a method such as http in front of it), Apache
                HTTP Server will send a redirect to the client to tell it where to
                find the document, even if the document ends up being on the same
                server. This has several implications, the most important being that
                the client will not receive the original error status code, but
                instead will receive a redirect status code. This in turn can confuse
                web robots and other clients which try to determine if a URL is valid
                using the status code. In addition, if you use a remote URL in an
                ErrorDocument 401, the client will not know to prompt the user for a
                password since it will not receive the 401 status code. Therefore, if
                you use an ErrorDocument 401 directive, then it must refer to a local
                document.







                share|improve this answer























                  up vote
                  1
                  down vote










                  up vote
                  1
                  down vote









                  You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.



                  https://httpd.apache.org/docs/2.4/mod/core.html#errordocument



                  EG -



                  ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}


                  in your Apache vhost config, or a .htaccess file.



                  Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -




                  Note that when you specify an ErrorDocument that points to a remote
                  URL (ie. anything with a method such as http in front of it), Apache
                  HTTP Server will send a redirect to the client to tell it where to
                  find the document, even if the document ends up being on the same
                  server. This has several implications, the most important being that
                  the client will not receive the original error status code, but
                  instead will receive a redirect status code. This in turn can confuse
                  web robots and other clients which try to determine if a URL is valid
                  using the status code. In addition, if you use a remote URL in an
                  ErrorDocument 401, the client will not know to prompt the user for a
                  password since it will not receive the 401 status code. Therefore, if
                  you use an ErrorDocument 401 directive, then it must refer to a local
                  document.







                  share|improve this answer












                  You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.



                  https://httpd.apache.org/docs/2.4/mod/core.html#errordocument



                  EG -



                  ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}


                  in your Apache vhost config, or a .htaccess file.



                  Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -




                  Note that when you specify an ErrorDocument that points to a remote
                  URL (ie. anything with a method such as http in front of it), Apache
                  HTTP Server will send a redirect to the client to tell it where to
                  find the document, even if the document ends up being on the same
                  server. This has several implications, the most important being that
                  the client will not receive the original error status code, but
                  instead will receive a redirect status code. This in turn can confuse
                  web robots and other clients which try to determine if a URL is valid
                  using the status code. In addition, if you use a remote URL in an
                  ErrorDocument 401, the client will not know to prompt the user for a
                  password since it will not receive the 401 status code. Therefore, if
                  you use an ErrorDocument 401 directive, then it must refer to a local
                  document.








                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 22 at 17:39









                  ivanivan

                  1,609258




                  1,609258






















                      up vote
                      0
                      down vote













                      You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.



                      This is found in RFC 7231:




                      For 3xx (Redirection) responses, the Location value refers to the
                      preferred target resource for automatically redirecting the
                      request.







                      share|improve this answer

























                        up vote
                        0
                        down vote













                        You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.



                        This is found in RFC 7231:




                        For 3xx (Redirection) responses, the Location value refers to the
                        preferred target resource for automatically redirecting the
                        request.







                        share|improve this answer























                          up vote
                          0
                          down vote










                          up vote
                          0
                          down vote









                          You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.



                          This is found in RFC 7231:




                          For 3xx (Redirection) responses, the Location value refers to the
                          preferred target resource for automatically redirecting the
                          request.







                          share|improve this answer












                          You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.



                          This is found in RFC 7231:




                          For 3xx (Redirection) responses, the Location value refers to the
                          preferred target resource for automatically redirecting the
                          request.








                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Nov 22 at 17:24









                          maio290

                          1,605414




                          1,605414






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Stack Overflow!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.





                              Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                              Please pay close attention to the following guidance:


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53435718%2fredirecting-with-header-but-http-code-is-always-200%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              What visual should I use to simply compare current year value vs last year in Power BI desktop

                              How to ignore python UserWarning in pytest?

                              Alexandru Averescu