0

I'm using WordPress and I would to redirect all unauthorized users to the homepage.

In order to do so in the header file I put (at the begin of the file) the following PHP code:

if (bp_current_component() != "" 
    && bp_current_component() != "event" 
    && !is_user_logged_in() 
    && !isset($_COOKIE[affiplus]) 
    && !isset($_GET[affid]))
{
    header( "HTTP/1.1 410 Gone" ); 
    header( "Location: ".get_option('siteurl')."/home/");
}

Unfortunately the HTTP error code returned is always 302 (Moved permanently) and not 410 as I want. Why?

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
pAkY88
  • 6,262
  • 11
  • 46
  • 58
  • The correct code would be 401 "Similar to 403 Forbidden, but specifically for use when authentication is possible but has failed or not yet been provide" http://en.wikipedia.org/wiki/List_of_HTTP_status_codes – Paté Oct 25 '11 at 14:57
  • No, response code 401 means the server is expecting the client to use HTTP Authentication. – Leonid Shevtsov Oct 25 '11 at 15:02
  • Umm well 403 then but 302 is not the right code IMO – Paté Oct 25 '11 at 15:04

3 Answers3

11

Alternately you could use the refresh header this way it will still show a 410 response but also redirect.

<?php 
if (bp_current_component() != "" && 
    bp_current_component() != "event" && 
    !is_user_logged_in() && 
    !isset($_COOKIE['affiplus']) && 
    !isset($_GET['affid']))
{
    header($_SERVER["SERVER_PROTOCOL"]." 410 Gone"); 
    header("Refresh: 0; url=".get_option('siteurl')."/home/");
    exit;
}
?>

The main reasoning for sending a 410 (Gone) or (Was a page but now its Gone) would be that search engines dont index the page.

Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106
  • I'm not so sure if this really makes sense. Signalling the error condition (4xx) and giving the [Refresh](http://en.wikipedia.org/wiki/HTTP_refresh) seems conflicting - even technically possible. – hakre Nov 24 '12 at 20:35
  • This does seem to technically work, at least in Chrome 49 and FF 45. It never made sense to me that a 410 Gone shouldn't be redirected, from a human usability point of view anyway. – MacroMan Mar 16 '16 at 13:58
  • 2
    Just quick note, I would't recommend setting header protocol statically. I would suggest little update to: `header($_SERVER["SERVER_PROTOCOL"] . " 410 Gone", true, 410);` – Daniel.P. Aug 23 '16 at 02:37
  • In IE, at least with those "short http error pages" set to on, the redirect isn't conducted unfortunately; *but* adding a Location header before the Refresh header works as expected. I must say providing a Location header in order to point to an alternative resource is semanically a good idea anyway, IMHO. – Adrian Föder Nov 04 '16 at 15:23
8

You can only send one response status code. So you can either send an error response (4xx) or a redirection response (3xx). Sending a 410 header when an unauthorised user tries to access a resource would be incorrect anyway.

I think just performing a 302 is more than adequate.

hakre
  • 193,403
  • 52
  • 435
  • 836
robjmills
  • 18,438
  • 15
  • 77
  • 121
  • I know that 410 error code is not correct in this case. I am using it because I need to remove those URLs from the Google's repository. So I would need a way to redirect to the homepage the unauthorized users and return the 410 error code for Googlebot. Any suggestions? Thanks – pAkY88 Oct 25 '11 at 15:21
  • 3
    In that case, issue a 301 "permanently moved" and point at the homepage. 410 is "this is gone, it won't be back, don't bother me again". – Marc B Oct 25 '11 at 15:23
-2

How about

header( "Location: ".get_option('siteurl')."/home/", true, 410);

The docs provide an in-depth explanation.

Leonid Shevtsov
  • 14,024
  • 9
  • 51
  • 82