|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #18708 Header("Location:") doesn't work after setCookie()?
Submitted: 2002-08-02 10:57 UTC Modified: 2003-02-26 06:17 UTC
From: andywright28 at hotmail dot com Assigned:
Status: Not a bug Package: HTTP related
PHP Version: 4.2.2 OS: Win2000 sp6a
Private report: No CVE-ID: None
 [2002-08-02 10:57 UTC] andywright28 at hotmail dot com
//some processing
$info = base64encode("$information");
Header("Location: file.php");

The cookie doesn't get set if a Header() function is used straight after it. If I comment out the header function then the cookie is set ok. I can also replace the Header() function with an echo() as in:
echo "<meta http-equiv='refresh' content='0;file.php'>";
and this works fine also.

The PHP installed is the 4.2.2 precompiled binary for Windows, running php.exe from IIS version 5. The piece of code is actually used in PHPNuke. Line 502 of /modules/Your_Account/index.php.

Am I missing something?



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-08-02 11:33 UTC]
this is not a PHP issue, it is either the webserver or the browser that ignores the SetCookie header on HTTP redirects

btw: your Location: header usage is dangerous, the RFC
clearly says that you have to use *absolute* URLs
in Location: headers
 [2002-08-02 11:56 UTC] andywright28 at hotmail dot com
Does Header() not use echo() to print text out? Essentially doing the same thing (with a few checks)? I'm just guessing, as I haven't looked at the source. It just seems strange not to work on a server like IIS. I ran the code originally on Linux/Apache (Mandrake 8.0) and it all worked fine out of the box, using the same machine/browser (Win2k/IE5.5) to browse the web site.

And thanks on the info for the Location: header. I think the guys doing <a href="">PHPNuke</a> should take note since its their code I'm quoting from!
 [2002-08-05 05:03 UTC]
php sends both the SetCookie: and the Location: header,
and changes the HTTP status code to 302 to indicate
the redirect 

the actual redirect may happen on the server or the
client side depending on server api and server settings,
in which case the client will never know about the
SetCookie: header as it doesn't even see it

and even if the redirect is processed on the client
side the client might just look for the Location:
line due to the redirect status of the request result
and not process any other headers like esp. SetCookie:
as a redirect is not supposed to have any other payload
than the redirection target address

(i won't comment on the code quality of phpnuke here ;)
 [2003-02-25 18:04 UTC] bandit_109 at hotmailc dot om
I have the same problem except this is an BAD issue for me because my code looks like this:

if (isset($_SESSION["access"]))
	echo "Session was registered with: " . $_SESSION["access"];
	$access = "session variable";
header("Location: test2.php");

Now obviously if the cookie does not get sent, then I cannot send the session id. I'm trying to migrate an application to IIS and this borks the entire site. I suppose I can get away with replacing all my header redirects with 
echo "<meta http-equiv='refresh' content='0;test2.php'>";
but I wish there was some way that was better than that.
 [2003-02-26 06:17 UTC]
to bandit_109 at hotmailc dot om:

it is your code that is doing something wrong,
as it is relying on client behaviour that 
simply doesn't exist (besides the fact that
your Location: header violates RFC2616 anyway)

Location: and Set-Cookie: handlers within a 
single reply just don't work, there's *nothing*
PHP can do about it ...

what you can do is using the SID constant to
add the session id to the Location: redirect
URL as a GET parameter (and change the relative
URL to an absolute one) 

PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Dec 04 19:05:53 2022 UTC