PHP :: Bug #18708 :: Header("Location:") doesn't work after setCookie()?

Bug #18708	Header("Location:") doesn't work after setCookie()?
Submitted:	2002-08-02 10:57 UTC	Modified:	2003-02-26 06:17 UTC
From:	andywright28 at hotmail dot com	Assigned:
Status:	Not a bug	Package:	HTTP related
PHP Version:	4.2.2	OS:	Win2000 sp6a
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	andywright28 at hotmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2002-08-02 10:57 UTC] andywright28 at hotmail dot com

<?
//some processing
$info = base64encode("$information");
setcookie("user",$info,time()+15552000);
Header("Location: file.php");
?>

The cookie doesn't get set if a Header() function is used straight after it. If I comment out the header function then the cookie is set ok. I can also replace the Header() function with an echo() as in:
echo "<meta http-equiv='refresh' content='0;file.php'>";
and this works fine also.

The PHP installed is the 4.2.2 precompiled binary for Windows, running php.exe from IIS version 5. The piece of code is actually used in PHPNuke. Line 502 of /modules/Your_Account/index.php.

Am I missing something?

Andy

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-08-02 11:33 UTC] hholzgra@php.net

this is not a PHP issue, it is either the webserver or the browser that ignores the SetCookie header on HTTP redirects

btw: your Location: header usage is dangerous, the RFC
clearly says that you have to use *absolute* URLs
in Location: headers

[2002-08-02 11:56 UTC] andywright28 at hotmail dot com

Does Header() not use echo() to print text out? Essentially doing the same thing (with a few checks)? I'm just guessing, as I haven't looked at the source. It just seems strange not to work on a server like IIS. I ran the code originally on Linux/Apache (Mandrake 8.0) and it all worked fine out of the box, using the same machine/browser (Win2k/IE5.5) to browse the web site.

And thanks on the info for the Location: header. I think the guys doing <a href="www.phpnuke.net">PHPNuke</a> should take note since its their code I'm quoting from!

[2002-08-05 05:03 UTC] hholzgra@php.net

php sends both the SetCookie: and the Location: header,
and changes the HTTP status code to 302 to indicate
the redirect 

the actual redirect may happen on the server or the
client side depending on server api and server settings,
in which case the client will never know about the
SetCookie: header as it doesn't even see it

and even if the redirect is processed on the client
side the client might just look for the Location:
line due to the redirect status of the request result
and not process any other headers like esp. SetCookie:
as a redirect is not supposed to have any other payload
than the redirection target address

(i won't comment on the code quality of phpnuke here ;)

[2003-02-25 18:04 UTC] bandit_109 at hotmailc dot om

I have the same problem except this is an BAD issue for me because my code looks like this:

<?
session_name("woot");
session_start();
if (isset($_SESSION["access"]))
	echo "Session was registered with: " . $_SESSION["access"];
else
{
	$access = "session variable";
	$_SESSION["access"]=$access;
}
header("Location: test2.php");
?>

Now obviously if the cookie does not get sent, then I cannot send the session id. I'm trying to migrate an application to IIS and this borks the entire site. I suppose I can get away with replacing all my header redirects with 
echo "<meta http-equiv='refresh' content='0;test2.php'>";
but I wish there was some way that was better than that.

[2003-02-26 06:17 UTC] hholzgra@php.net

to bandit_109 at hotmailc dot om:

it is your code that is doing something wrong,
as it is relying on client behaviour that 
simply doesn't exist (besides the fact that
your Location: header violates RFC2616 anyway)

Location: and Set-Cookie: handlers within a 
single reply just don't work, there's *nothing*
PHP can do about it ...

what you can do is using the SID constant to
add the session id to the Location: redirect
URL as a GET parameter (and change the relative
URL to an absolute one)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Feb 16 10:01:29 2025 UTC