Thread: The Dangers of the Header Function
View Single Post
Old 09-13-2007, 02:32 PM   #1 (permalink)
Wildhoney
La Vida es Sueño
Advanced Programmer Top Contributor 
 
Wildhoney's Avatar
 
Join Date: Sep 2007
Location: Oldham
Posts: 2,215
Thanks: 90
Wildhoney is on a distinguished road
Big Grin The Dangers of the Header Function
The header function may seem relatively straightforward on the surface. You issue the function along with a header as the first argument and it does the rest for you. Many people rely religiously on the header function working to forward users to the next page.

To exemplify this, as a programmer you may code the following lines to be placed into your script:

PHP Code:
if($pMember->doLogin())
{
    header('location: http://www.talkphp.com/login/success/');
}

$pMember->doLogout(); 
This will login a user if the login is available, otherwise if the doLogin returns false or NULL then it logs the user out. Now, this will work absolutely perfectly if everything goes the way you expect it to. The user is logged in and then forwarded to a page where you can praise them for valid credentials.

However, what if the user is logged in and then logged out straight after? It may seem impossible based on the above code as the header() has been issued to send users to another page before we get down to the doLogout() function.

This is where paying attention may save the integrity of you as a programmer. Or a blossoming programmer in the very least. The header function is a header instruction sent to the client's browser. It is entirely up to the browser whether or not to act on that instruction. In the simplest terms, the browser makes up its own mind whether or not to follow the location to your desired destination.

What would happen if the browser is stubborn and decides not to exit when the location header is issued? That's right! The script will continue executing causing many adverse effects. In our case logging a user out straight after they've logged in may be an annoyance, but at least it doesn't cause any blatant security issues. However, many programmers rely on the header to protect their scripts.

The security issues arise when you realise how many programmers use location to divert users away from code which should not be executed. To exemplify, the following is a good example of where location is used to divert users away from the page if they are accessing it directly and not via another page that includes this page:

PHP Code:
if(!isset($bUsingSSI))
{
    header('location: http://www.talkphp.com/');
Please see the attachment for this in action. I have emulated the scenario using Telnet as my browser. Telnet is not going to follow any location unless I explicitly instruct it to.

The lesson to be learned today? ALWAYS issue the exit construct after any header(). Like so:

PHP Code:
if($pMember->doLogin())
{
    header('location: http://www.talkphp.com/login/success/');
    exit;
}

$pMember->doLogout(); 
There is then absolutely no way a user will be logged out if they have been logged in a couple of lines above.
Attached Files
File Type: zip Bypassing Header - TalkPHP.zip (33.9 KB, 165 views)
__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.
Last edited by Wildhoney : 09-13-2007 at 04:53 PM.
Send a message via AIM to Wildhoney Send a message via MSN to Wildhoney Send a message via Yahoo to Wildhoney
Wildhoney is offline   		Reply With Quote