Reliability of both the exit() and header() functions for system security

Question

Okay, so I have some code here:

<?php session_start();
if (!isset($_SESSION['blah'])) {
header('Location: foo.php'); exit();

}
?>

<!DOCTYPE html>
<html>
<head>
<meta charset = 'utf-8' />
<title>Check Login</title>
</head>
<body>
// members only content here
</body>
</html>

So, I've found a foolproof way around using either headers or exit statements for redirects (by echoing a particular document depending on the value of an if-else statement), but using headers is a lot cleaner than echoing an entire webpage in a heredoc. (I also know I should be using HTTPS for additional security).

I have two questions.

1. How widespread is browser support for the Location header? I know I can't use it on its own by reading similar questions, but I wouldn't mind knowing anyway.

2. Also, how reliable is the use of php's exit() function for maintaining system security? Does it always work, or should I just echo a HEREDOC instead when security really matters?

Answer 1

Virtually any browser existing today does support Location; However, you should be careful about which status code you send along with it (3rd parameter to header). See rfc2616 sec10 for more information about which code to choose; 303 seems more correct but 302 is better supported.

How reliable exit() is, really depends on how reliable your server is. If your PHP code is executed, exit() will always abort execution and send the result to the browser. However, a wrongly configured webserver may directly expose your PHP code instead of executing it. This comment explains how you can mitigate this problem.

 

As for following the specs, rfc2616 sec10 says:

Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s).

You can implement this by not using exit() but using die('<a href="foo.php">You are redirected.</a>') instead.