PHP Redirect User And Set 403 Header

Question

This might seem like an odd request, but I'm trying to redirect users away from a particular set of pages and set a 403 header so that my error handler picks up on it and displays the necessary notification. My redirect script is not redirecting users though.

I'm attempting to redirect using this script:

// Redirect users from sensative pages
if(!isset($_SESSION['logged_in']) || isset($_SESSION['logged_in']) && $_SESSION['logged_in'] !== "admin") {
 $redirect[] = array();
 $redirect[] = "uploadImg.php";
 if (in_array(basename($_SERVER["SCRIPT_FILENAME"]), $redirect)) {
  header('HTTP/1.1 403 FORBIDDEN');
  header('Status: 403 You Do Not Have Access To This Page');
  header("Location: index.php");
}
}

But oddly enough if I remove these two lines:

  header('HTTP/1.1 403 FORBIDDEN');
  header('Status: 403 You Do Not Have Access To This Page');

and make the script:

// Redirect users from sensative pages
if(!isset($_SESSION['logged_in']) || isset($_SESSION['logged_in']) && $_SESSION['logged_in'] !== "admin") {
 $redirect[] = array();
 $redirect[] = "uploadImg.php";
 if (in_array(basename($_SERVER["SCRIPT_FILENAME"]), $redirect)) {
  header("Location: index.php");
}
}

It redirects the users back to the index.php page.

I'm specifically trying to set headers so that my .htaccess picks up on the error and performs the error document handling.

This is my .htaccess:

ErrorDocument 400 /index.php?err=400
ErrorDocument 401 /index.php?err=401
ErrorDocument 403 /index.php?err=403
ErrorDocument 404 /index.php?err=404
ErrorDocument 500 /index.php?err=500
ErrorDocument 502 /index.php?err=502
ErrorDocument 504 /index.php?err=504

Options -MultiViews
RewriteEngine On
RewriteBase /

RewriteRule ^h/(\d+)/w/(\d+)/a/([a-z]+)/thumb/(.+)$ /gallery/thumb.php?h=$1&w=$2&a=$3&src=$4 [L]
RewriteRule ^h/(\d+)/w/(\d+)/a/([a-z]+)/watermark/(.+)$ /gallery/watermark.php?h=$1&w=$2&a=$3&src=$4 [L]

<FilesMatch ".(jpg|png|gif|jpeg)$">
ErrorDocument 404 error.png
</FilesMatch>

<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin http://example.com  
    Header set Access-Control-Allow-Credentials true
</IfModule>

And finally my error handler script on index.php:

if(isset($_GET['err'])) {
   $error_status = $_GET['err'];
   switch ($error_status) {
     case 400:
      echo '<div class="alert alert-danger alert-top" role="alert">' . PHP_EOL;
      echo '<a href="#" class="close" data-dismiss="alert" aria-label="close">&times;</a>' . PHP_EOL;
      echo '<strong>400 Bad Request:</strong> There was an error with your request.' . PHP_EOL;
      echo '</div>' . PHP_EOL;
     break;

     case 401:
      echo '<div class="alert alert-danger alert-top" role="alert">' . PHP_EOL;
      echo '<a href="#" class="close" data-dismiss="alert" aria-label="close">&times;</a>' . PHP_EOL;
      echo '<strong>401 UNAUTHORIZED:</strong> You are not authorized to view this page or directory.' . PHP_EOL;
      echo '</div>' . PHP_EOL;
     break;

     case 403:
      echo '<div class="alert alert-danger alert-top" role="alert">' . PHP_EOL;
      echo '<a href="#" class="close" data-dismiss="alert" aria-label="close">&times;</a>' . PHP_EOL;
      echo '<strong>403 FORBIDDEN:</strong> You do not have access to this file or directory.' . PHP_EOL;
      echo '</div>' . PHP_EOL;
     break;

     case 404:
      echo '<div class="alert alert-danger alert-top" role="alert">' . PHP_EOL;
      echo '<a href="#" class="close" data-dismiss="alert" aria-label="close">&times;</a>' . PHP_EOL;
      echo '<strong>404 Error:</strong> The page you are looking for does not exist.' . PHP_EOL;
      echo '</div>' . PHP_EOL;
     break;

     case 500:
      echo '<div class="alert alert-danger alert-top" role="alert">' . PHP_EOL;
      echo '<a href="#" class="close" data-dismiss="alert" aria-label="close">&times;</a>' . PHP_EOL;
      echo '<strong>500 Internal Server Error:</strong> The server encountered an error. Please try again.' . PHP_EOL;
      echo '</div>' . PHP_EOL;
     break;

     case 502:
      echo '<div class="alert alert-danger alert-top" role="alert">' . PHP_EOL;
      echo '<a href="#" class="close" data-dismiss="alert" aria-label="close">&times;</a>' . PHP_EOL;
      echo '<strong>502 Bad Gateway:</strong> The server received an invalid response.' . PHP_EOL;
      echo '</div>' . PHP_EOL;
     break;

     case 504:
      echo '<div class="alert alert-danger alert-top" role="alert">' . PHP_EOL;
      echo '<a href="#" class="close" data-dismiss="alert" aria-label="close">&times;</a>' . PHP_EOL;
      echo '<strong>504 Gateway Timeout:</strong> The server is taking too long to respond.' . PHP_EOL;
      echo '</div>' . PHP_EOL;
     break;
   }
 }

More or less I'm wondering why these two lines would stop my redirect script from working:

  header('HTTP/1.1 403 FORBIDDEN');
  header('Status: 403 You Do Not Have Access To This Page');

I did find a solution here that solved the redirect, but the error notification does not show: How to send 500 Internal Server Error error from a PHP script

Code based off of above selected answer:

// Redirect users from sensative pages
if(!isset($_SESSION['logged_in']) || isset($_SESSION['logged_in']) && $_SESSION['logged_in'] !== "admin") {
 $redirect[] = array();
 $redirect[] = "uploadImg.php";
 if (in_array(basename($_SERVER["SCRIPT_FILENAME"]), $redirect)) {
  header($_SERVER['SERVER_PROTOCOL'] . ' 403 FORBIDDEN', true, 403);
  header("Location: index.php");
}
}

OTHER ATTEMPTS: I've also changed the following in an attempt to get my desired affect:

With the suggestion of @Parrot I tried:

// Redirect users from sensative pages
if(!isset($_SESSION['logged_in']) || isset($_SESSION['logged_in']) && $_SESSION['logged_in'] !== "admin") {
 $redirect[] = array();
 $redirect[] = "uploadImg.php";
 if (in_array(basename($_SERVER["SCRIPT_FILENAME"]), $redirect)) {
  http_response_code(403);
  header("Location: index.php");
}
}

Which didn't work to show the notification although it did redirect so this motivated me to change the top part of my error document to:

 if(isset($_GET['err'])) {
   $error_status = $_GET['err'];
 }
 else {
   $error_status = http_response_code();
 }

In the hope that it just wasn't originally reading the http_response_code();.

NOTE: I am also aware that I could just do header("Location: index.php?err=403"); however I don't wish to show the error code in the address bar.

NOTE: I do know that my redirect method is not the most secure for protecting pages with sensitive information, however the pages I am redirecting from are just general pages that I do not wish view able by the general public.

@Barmar `403 Forbidden` or `401 Unauthorized` but I'm aiming for `403`. — Jesse Elser, Oct 10 '16 at 21:41
U could set 403 is true inside session, redirect and show from session, if you don't mind the overhead. Controller would b a good place to check. — Gogol, Oct 10 '16 at 22:03
I thought about using sessions as a last ditch effort if all else failed. — Jesse Elser, Oct 10 '16 at 22:05

score 3 · Answer 1 · answered Oct 10 '16 at 21:11

3

Replace:

header('HTTP/1.1 403 FORBIDDEN'); header('Status: 403 You Do Not Have Access To This Page');

with:

http_response_code(403); I think you don't need anything more :)

answered Oct 10 '16 at 21:11

Tony

401
3
8

1

Added it in. The redirect works but unfortunately the notification doesn't appear. Which I know the script works because I tested it using `404` with a link that i knew didn't exist. – Jesse Elser Oct 10 '16 at 21:13

PHP Redirect User And Set 403 Header

1 Answers1