Redirecting with header, but http code is always 200












2















So, I have a page that checks if the user is logged in and if he isn't they are redirected to the error page with code 403. This is the code I use to redirect:



header('Location: /error.php', true, 403);


But, instead of redirecting it only sets the code to 403. And if I try:



header('HTTP/1.1 403 FORBIDDEN');
header('Location: /error.php');


Then it redirects, but the code is 200...
I'm really lost here and couldn't find anything that worked.



ps: this is my error.php page



<link rel="stylesheet" href="css/error.css">
<?php if (http_response_code() === 404) : ?>
<div class="error">404</div>
<br /><br />
<span class="info">File not found</span>
<img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
<?php elseif (http_response_code() === 403) : ?>
<div class="error">403</div>
<br /><br />
<span class="info">Unauthorized access</span>
<img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
<?php endif; ?>









share|improve this question





























    2















    So, I have a page that checks if the user is logged in and if he isn't they are redirected to the error page with code 403. This is the code I use to redirect:



    header('Location: /error.php', true, 403);


    But, instead of redirecting it only sets the code to 403. And if I try:



    header('HTTP/1.1 403 FORBIDDEN');
    header('Location: /error.php');


    Then it redirects, but the code is 200...
    I'm really lost here and couldn't find anything that worked.



    ps: this is my error.php page



    <link rel="stylesheet" href="css/error.css">
    <?php if (http_response_code() === 404) : ?>
    <div class="error">404</div>
    <br /><br />
    <span class="info">File not found</span>
    <img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
    <?php elseif (http_response_code() === 403) : ?>
    <div class="error">403</div>
    <br /><br />
    <span class="info">Unauthorized access</span>
    <img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
    <?php endif; ?>









    share|improve this question



























      2












      2








      2








      So, I have a page that checks if the user is logged in and if he isn't they are redirected to the error page with code 403. This is the code I use to redirect:



      header('Location: /error.php', true, 403);


      But, instead of redirecting it only sets the code to 403. And if I try:



      header('HTTP/1.1 403 FORBIDDEN');
      header('Location: /error.php');


      Then it redirects, but the code is 200...
      I'm really lost here and couldn't find anything that worked.



      ps: this is my error.php page



      <link rel="stylesheet" href="css/error.css">
      <?php if (http_response_code() === 404) : ?>
      <div class="error">404</div>
      <br /><br />
      <span class="info">File not found</span>
      <img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
      <?php elseif (http_response_code() === 403) : ?>
      <div class="error">403</div>
      <br /><br />
      <span class="info">Unauthorized access</span>
      <img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
      <?php endif; ?>









      share|improve this question
















      So, I have a page that checks if the user is logged in and if he isn't they are redirected to the error page with code 403. This is the code I use to redirect:



      header('Location: /error.php', true, 403);


      But, instead of redirecting it only sets the code to 403. And if I try:



      header('HTTP/1.1 403 FORBIDDEN');
      header('Location: /error.php');


      Then it redirects, but the code is 200...
      I'm really lost here and couldn't find anything that worked.



      ps: this is my error.php page



      <link rel="stylesheet" href="css/error.css">
      <?php if (http_response_code() === 404) : ?>
      <div class="error">404</div>
      <br /><br />
      <span class="info">File not found</span>
      <img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
      <?php elseif (http_response_code() === 403) : ?>
      <div class="error">403</div>
      <br /><br />
      <span class="info">Unauthorized access</span>
      <img src="http://images2.layoutsparks.com/1/160030/too-much-tv-static.gif" class="static" />
      <?php endif; ?>






      php http






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 22 '18 at 17:25







      edmassarani

















      asked Nov 22 '18 at 17:17









      edmassaraniedmassarani

      9418




      9418
























          4 Answers
          4






          active

          oldest

          votes


















          2














          Don't use redirection, but script reuse.



          Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.



          Instead, use require to include the php script which should show information about an error to the user, without changing the URI.



          if(detectedUserNotAllowed)
          {
          header('HTTP/1.1 403 FORBIDDEN');
          require("error.php");
          exit();
          }





          share|improve this answer
























          • true, that's a lot better. lol idk how i didn't think of that one, thanks

            – edmassarani
            Nov 22 '18 at 17:36





















          3














          From the docs:




          From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.




          http://php.net/manual/en/function.header.php



          That being said, you can add the header in your error.php page



          header("HTTP/1.0 403 Forbidden");





          share|improve this answer
























          • yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code

            – edmassarani
            Nov 22 '18 at 17:23











          • Then create multiple errors page like error403.php error500.php and so on. These pages can include another page code inside, after set the header.

            – Felippe Duarte
            Nov 22 '18 at 17:24











          • i see, I thought it would be possible to do it this way, but I guess not :(

            – edmassarani
            Nov 22 '18 at 17:25



















          1














          You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.



          https://httpd.apache.org/docs/2.4/mod/core.html#errordocument



          EG -



          ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}


          in your Apache vhost config, or a .htaccess file.



          Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -




          Note that when you specify an ErrorDocument that points to a remote
          URL (ie. anything with a method such as http in front of it), Apache
          HTTP Server will send a redirect to the client to tell it where to
          find the document, even if the document ends up being on the same
          server. This has several implications, the most important being that
          the client will not receive the original error status code, but
          instead will receive a redirect status code. This in turn can confuse
          web robots and other clients which try to determine if a URL is valid
          using the status code. In addition, if you use a remote URL in an
          ErrorDocument 401, the client will not know to prompt the user for a
          password since it will not receive the 401 status code. Therefore, if
          you use an ErrorDocument 401 directive, then it must refer to a local
          document.







          share|improve this answer































            0














            You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.



            This is found in RFC 7231:




            For 3xx (Redirection) responses, the Location value refers to the
            preferred target resource for automatically redirecting the
            request.







            share|improve this answer























              Your Answer






              StackExchange.ifUsing("editor", function () {
              StackExchange.using("externalEditor", function () {
              StackExchange.using("snippets", function () {
              StackExchange.snippets.init();
              });
              });
              }, "code-snippets");

              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "1"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53435718%2fredirecting-with-header-but-http-code-is-always-200%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              4 Answers
              4






              active

              oldest

              votes








              4 Answers
              4






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              2














              Don't use redirection, but script reuse.



              Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.



              Instead, use require to include the php script which should show information about an error to the user, without changing the URI.



              if(detectedUserNotAllowed)
              {
              header('HTTP/1.1 403 FORBIDDEN');
              require("error.php");
              exit();
              }





              share|improve this answer
























              • true, that's a lot better. lol idk how i didn't think of that one, thanks

                – edmassarani
                Nov 22 '18 at 17:36


















              2














              Don't use redirection, but script reuse.



              Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.



              Instead, use require to include the php script which should show information about an error to the user, without changing the URI.



              if(detectedUserNotAllowed)
              {
              header('HTTP/1.1 403 FORBIDDEN');
              require("error.php");
              exit();
              }





              share|improve this answer
























              • true, that's a lot better. lol idk how i didn't think of that one, thanks

                – edmassarani
                Nov 22 '18 at 17:36
















              2












              2








              2







              Don't use redirection, but script reuse.



              Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.



              Instead, use require to include the php script which should show information about an error to the user, without changing the URI.



              if(detectedUserNotAllowed)
              {
              header('HTTP/1.1 403 FORBIDDEN');
              require("error.php");
              exit();
              }





              share|improve this answer













              Don't use redirection, but script reuse.



              Redirection means "What you are looking for, can be found at a different place". You don't want to send the user to a different place. You want to tell them that they are not allowed to see that place where they tried to go.



              Instead, use require to include the php script which should show information about an error to the user, without changing the URI.



              if(detectedUserNotAllowed)
              {
              header('HTTP/1.1 403 FORBIDDEN');
              require("error.php");
              exit();
              }






              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Nov 22 '18 at 17:30









              NineBerryNineBerry

              13.6k23059




              13.6k23059













              • true, that's a lot better. lol idk how i didn't think of that one, thanks

                – edmassarani
                Nov 22 '18 at 17:36





















              • true, that's a lot better. lol idk how i didn't think of that one, thanks

                – edmassarani
                Nov 22 '18 at 17:36



















              true, that's a lot better. lol idk how i didn't think of that one, thanks

              – edmassarani
              Nov 22 '18 at 17:36







              true, that's a lot better. lol idk how i didn't think of that one, thanks

              – edmassarani
              Nov 22 '18 at 17:36















              3














              From the docs:




              From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.




              http://php.net/manual/en/function.header.php



              That being said, you can add the header in your error.php page



              header("HTTP/1.0 403 Forbidden");





              share|improve this answer
























              • yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code

                – edmassarani
                Nov 22 '18 at 17:23











              • Then create multiple errors page like error403.php error500.php and so on. These pages can include another page code inside, after set the header.

                – Felippe Duarte
                Nov 22 '18 at 17:24











              • i see, I thought it would be possible to do it this way, but I guess not :(

                – edmassarani
                Nov 22 '18 at 17:25
















              3














              From the docs:




              From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.




              http://php.net/manual/en/function.header.php



              That being said, you can add the header in your error.php page



              header("HTTP/1.0 403 Forbidden");





              share|improve this answer
























              • yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code

                – edmassarani
                Nov 22 '18 at 17:23











              • Then create multiple errors page like error403.php error500.php and so on. These pages can include another page code inside, after set the header.

                – Felippe Duarte
                Nov 22 '18 at 17:24











              • i see, I thought it would be possible to do it this way, but I guess not :(

                – edmassarani
                Nov 22 '18 at 17:25














              3












              3








              3







              From the docs:




              From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.




              http://php.net/manual/en/function.header.php



              That being said, you can add the header in your error.php page



              header("HTTP/1.0 403 Forbidden");





              share|improve this answer













              From the docs:




              From the docs: "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.




              http://php.net/manual/en/function.header.php



              That being said, you can add the header in your error.php page



              header("HTTP/1.0 403 Forbidden");






              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Nov 22 '18 at 17:20









              Felippe DuarteFelippe Duarte

              10.5k21524




              10.5k21524













              • yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code

                – edmassarani
                Nov 22 '18 at 17:23











              • Then create multiple errors page like error403.php error500.php and so on. These pages can include another page code inside, after set the header.

                – Felippe Duarte
                Nov 22 '18 at 17:24











              • i see, I thought it would be possible to do it this way, but I guess not :(

                – edmassarani
                Nov 22 '18 at 17:25



















              • yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code

                – edmassarani
                Nov 22 '18 at 17:23











              • Then create multiple errors page like error403.php error500.php and so on. These pages can include another page code inside, after set the header.

                – Felippe Duarte
                Nov 22 '18 at 17:24











              • i see, I thought it would be possible to do it this way, but I guess not :(

                – edmassarani
                Nov 22 '18 at 17:25

















              yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code

              – edmassarani
              Nov 22 '18 at 17:23





              yes, I could, but the thing i forgot to say in the question was that I am using this error page for multiple error codes. So I wanted to set it before it got to the page, so that it would show the correct error code

              – edmassarani
              Nov 22 '18 at 17:23













              Then create multiple errors page like error403.php error500.php and so on. These pages can include another page code inside, after set the header.

              – Felippe Duarte
              Nov 22 '18 at 17:24





              Then create multiple errors page like error403.php error500.php and so on. These pages can include another page code inside, after set the header.

              – Felippe Duarte
              Nov 22 '18 at 17:24













              i see, I thought it would be possible to do it this way, but I guess not :(

              – edmassarani
              Nov 22 '18 at 17:25





              i see, I thought it would be possible to do it this way, but I guess not :(

              – edmassarani
              Nov 22 '18 at 17:25











              1














              You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.



              https://httpd.apache.org/docs/2.4/mod/core.html#errordocument



              EG -



              ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}


              in your Apache vhost config, or a .htaccess file.



              Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -




              Note that when you specify an ErrorDocument that points to a remote
              URL (ie. anything with a method such as http in front of it), Apache
              HTTP Server will send a redirect to the client to tell it where to
              find the document, even if the document ends up being on the same
              server. This has several implications, the most important being that
              the client will not receive the original error status code, but
              instead will receive a redirect status code. This in turn can confuse
              web robots and other clients which try to determine if a URL is valid
              using the status code. In addition, if you use a remote URL in an
              ErrorDocument 401, the client will not know to prompt the user for a
              password since it will not receive the 401 status code. Therefore, if
              you use an ErrorDocument 401 directive, then it must refer to a local
              document.







              share|improve this answer




























                1














                You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.



                https://httpd.apache.org/docs/2.4/mod/core.html#errordocument



                EG -



                ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}


                in your Apache vhost config, or a .htaccess file.



                Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -




                Note that when you specify an ErrorDocument that points to a remote
                URL (ie. anything with a method such as http in front of it), Apache
                HTTP Server will send a redirect to the client to tell it where to
                find the document, even if the document ends up being on the same
                server. This has several implications, the most important being that
                the client will not receive the original error status code, but
                instead will receive a redirect status code. This in turn can confuse
                web robots and other clients which try to determine if a URL is valid
                using the status code. In addition, if you use a remote URL in an
                ErrorDocument 401, the client will not know to prompt the user for a
                password since it will not receive the 401 status code. Therefore, if
                you use an ErrorDocument 401 directive, then it must refer to a local
                document.







                share|improve this answer


























                  1












                  1








                  1







                  You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.



                  https://httpd.apache.org/docs/2.4/mod/core.html#errordocument



                  EG -



                  ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}


                  in your Apache vhost config, or a .htaccess file.



                  Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -




                  Note that when you specify an ErrorDocument that points to a remote
                  URL (ie. anything with a method such as http in front of it), Apache
                  HTTP Server will send a redirect to the client to tell it where to
                  find the document, even if the document ends up being on the same
                  server. This has several implications, the most important being that
                  the client will not receive the original error status code, but
                  instead will receive a redirect status code. This in turn can confuse
                  web robots and other clients which try to determine if a URL is valid
                  using the status code. In addition, if you use a remote URL in an
                  ErrorDocument 401, the client will not know to prompt the user for a
                  password since it will not receive the 401 status code. Therefore, if
                  you use an ErrorDocument 401 directive, then it must refer to a local
                  document.







                  share|improve this answer













                  You don't redirect - you simply generate the 403 (or whatever other error code is appropriate) and have Apache send the proper ErrorDocument.



                  https://httpd.apache.org/docs/2.4/mod/core.html#errordocument



                  EG -



                  ErrorDocument 403 /errors/forbidden.php?referrer=%{escape:%{HTTP_REFERER}}


                  in your Apache vhost config, or a .htaccess file.



                  Even Apache's docs note what one of the comments reflected about sending a status code followed by a redirect -




                  Note that when you specify an ErrorDocument that points to a remote
                  URL (ie. anything with a method such as http in front of it), Apache
                  HTTP Server will send a redirect to the client to tell it where to
                  find the document, even if the document ends up being on the same
                  server. This has several implications, the most important being that
                  the client will not receive the original error status code, but
                  instead will receive a redirect status code. This in turn can confuse
                  web robots and other clients which try to determine if a URL is valid
                  using the status code. In addition, if you use a remote URL in an
                  ErrorDocument 401, the client will not know to prompt the user for a
                  password since it will not receive the 401 status code. Therefore, if
                  you use an ErrorDocument 401 directive, then it must refer to a local
                  document.








                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 22 '18 at 17:39









                  ivanivanivanivan

                  1,618258




                  1,618258























                      0














                      You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.



                      This is found in RFC 7231:




                      For 3xx (Redirection) responses, the Location value refers to the
                      preferred target resource for automatically redirecting the
                      request.







                      share|improve this answer




























                        0














                        You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.



                        This is found in RFC 7231:




                        For 3xx (Redirection) responses, the Location value refers to the
                        preferred target resource for automatically redirecting the
                        request.







                        share|improve this answer


























                          0












                          0








                          0







                          You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.



                          This is found in RFC 7231:




                          For 3xx (Redirection) responses, the Location value refers to the
                          preferred target resource for automatically redirecting the
                          request.







                          share|improve this answer













                          You cannot redirect with a 403 code, browsers won't heed a location header if the status code is not one of the 3xx section.



                          This is found in RFC 7231:




                          For 3xx (Redirection) responses, the Location value refers to the
                          preferred target resource for automatically redirecting the
                          request.








                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Nov 22 '18 at 17:24









                          maio290maio290

                          2,014414




                          2,014414






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Stack Overflow!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53435718%2fredirecting-with-header-but-http-code-is-always-200%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              404 Error Contact Form 7 ajax form submitting

                              How to know if a Active Directory user can login interactively

                              TypeError: fit_transform() missing 1 required positional argument: 'X'