PHP: Utilizing exit(); or die(); after header("Location: ");
Solution 1
I have been looking for an answer on this as well. What I found:
Why die() or exit():
If you don't put a die() or exit() after your header('Location: http://something')
your script may continue resulting in unexpected behaviour. This may for example result in content being disclosed that you actually wanted to prevent with the redirect (HTTP 301). The aforementioned may not directly be visible for an end user as the browser may not render it (due to the 301). Conclusion, the exit() and die() functions stop the script from continuing.
Difference:
I also wanted to know the difference between the functions as it seems there is none. However, in PHP, there is a distinct difference in Header output. In the examples below I chose to use a different header but for sake of showing the difference between exit() and die() that doesn't matter.
Exit() in action
<?php
header('HTTP/1.1 304 Not Modified');
exit();
?>
Results in:
HTTP/1.1 304 Not Modified
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
Die() in action
<?php
header('HTTP/1.1 304 Not Modified');
die();
?>
Results in:
HTTP/1.1 304 Not Modified
Connection: close
Difference
So, die() closes the connection and exit() doesn't. It depends on performance whether or not you want to keep the connection open or close it. Both have advantages and disadvantages and depends on your specific requirement(s).
HTTP persistent connections on Wiki
Solution 2
http://php.net/manual/en/function.exit.php
http://php.net/manual/en/function.die.php
This functions are used to interrupt script execution. You need to use exit
or die
to stop execution of your script after header("Location: " . getenv("HTTP_REFERER"));
, because, in other case, your script will be executed till the end, what can cause some unexpected behavior.
Solution 3
Answer has already been accepted however it seems everyone is missing the glaring WTF in the question:
header("Location: " . getenv("HTTP_REFERER"));
Returning a referer is optional on the part of the user agent
it can easily be faked
there is no method for telling the user the login has failed
there is no HTTP semantic communication of an authentication failure
while the environment variable HTTP_REFERER should be the same as the request header variable, it is not specified in RFC 3875, therefore even where presented to the webserver in the request, getenv("HTTP_REFERER") may return a different value
Solution 4
Ok, it has been a long time since the last answer was given. Anyway :D somehow I stumbled across a similar prob and see what my solution was:
die( Header( "Location: mytarget.php?arg1=foobar" ) );
Two birds with one stone - seems to work for me.
Aaron
Updated on July 09, 2022Comments
-
Aaron almost 2 years
I have a user login/registration system that simply uses
// execute queries, set cookies, etc. here header("Location: " . getenv("HTTP_REFERER"));
I recently read a post about
exit();
anddie();
and had no idea that I was supposed to be using these. From what I understand, they make it end the PHP? Is that correct? What's the best way I can work toward this, simply adding one of these functions directly after ever header(); execution I have?I have AJAX, jQuery reading through my login.php/register.php, will this be affect in any way?
Edit: Other than after header();, where else should I be usitilizing the
exit();
ordie();
functions? And isexit();
more used around PHP whereasdie();
more used around Perl? -
Aaron over 12 yearsIn my login.php I have it check if a user has successfully logged in with proper credentials - if so it will set a cookie - then header("Location"); to the referral page. In this way, no matter where they are on the site, when the logon, it will take them back to the page they logged in at instead of taking them to the main page or login.php. Is there a better method than this then?
-
symcbean over 12 yearsDrop a cookie with the intended page URL before rendering the login page, or pass the URL as a $_GET var, or store the intended URL in the session
-
lol about 10 yearsMy HTTP knowledge is a bit hazy at this stage of the semester - when we pull a 301, the browser will (usually; i.e. a correct spec one) close the connection and open another get request, will it not? Or will it use the existing connection to request again?
-
mowgli over 9 yearsYou can also join it with
exit(header('Location: xxxxx.php'));
-
mpen over 7 years
-
mergen almost 5 yearsIt's absolutely crucial to
exit
ordie
after sending a Location header, since you cannot guarantee that your header will actually be respected. Have a good read about what can go wrong. -
Grzegorz Adam Kowalski about 4 yearsJust tested it and
exit
anddie
work the same way, they both close connection. -
s3c about 3 yearsDownvoted, since
die
andexit
truly are identical. -
ksiimson almost 3 yearsThis will keep return value from
header()
function in a temporary variable, which is passed todie()
. It works, because the return value fromheader()
is alwaysnull
. Another difference is that it doesn't allow debuggers to create breakpoints betweendie()
andheader()
calls. -
Eugene Zakharenko over 2 yearsphp.net/manual/en/function.die.php Die() is equivalent to exit(). Does it close connection or not, depends on other conditions.