headers_list

getservbyport

Last updated: Fri, 22 Aug 2008

header

(PHP 4, PHP 5)

header — Send a raw HTTP header

Description

void header ( string $string [, bool $replace [, int $http_response_code ]] )

header() is used to send a raw HTTP header. See the » HTTP/1.1 specification for more information on HTTP headers.

Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include(), or require(), functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file.


<html>
<?php
/* This will give an error. Note the output
 * above, which is before the header() call */
header('Location: http://www.example.com/');
?>

Parameters

string

The header string.

There are two special-case header calls. The first is a header that starts with the string "HTTP/" (case is not significant), which will be used to figure out the HTTP status code to send. For example, if you have configured Apache to use a PHP script to handle requests for missing files (using the ErrorDocument directive), you may want to make sure that your script generates the proper status code.


<?php
header("HTTP/1.0 404 Not Found");
?>

The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless some 3xx status code has already been set.


<?php
header("Location: http://www.example.com/"); /* Redirect browser */

/* Make sure that code below does not get executed when we redirect. */
exit;
?>

replace

The optional replace parameter indicates whether the header should replace a previous similar header, or add a second header of the same type. By default it will replace, but if you pass in FALSE as the second argument you can force multiple headers of the same type. For example:


<?php
header('WWW-Authenticate: Negotiate');
header('WWW-Authenticate: NTLM', false);
?>

http_response_code

Forces the HTTP response code to the specified value.

Return Values

No value is returned.

ChangeLog

Version	Description
4.4.2 and 5.1.2	This function now prevents more than one header to be sent at once as a protection against header injection attacks.
4.3.0	The `http_response_code` parameter was added.
4.0.4	The `replace` parameter was added.

Examples

Example #1 Download dialog

If you want the user to be prompted to save the data you are sending, such as a generated PDF file, you can use the » Content-Disposition header to supply a recommended filename and force the browser to display the save dialog.


<?php
// We'll be outputting a PDF
header('Content-type: application/pdf');

// It will be called downloaded.pdf
header('Content-Disposition: attachment; filename="downloaded.pdf"');

// The PDF source is in original.pdf
readfile('original.pdf');
?>

Example #2 Caching directives

PHP scripts often generate dynamic content that must not be cached by the client browser or any proxy caches between the server and the client browser. Many proxies and clients can be forced to disable caching with:


<?php
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
?>

Note: You may find that your pages aren't cached even if you don't output all of the headers above. There are a number of options that users may be able to set for their browser that change its default caching behavior. By sending the headers above, you should override any settings that may otherwise cause the output of your script to be cached.
Additionally, session_cache_limiter() and the session.cache_limiter configuration setting can be used to automatically generate the correct caching-related headers when sessions are being used.

Notes

Note: As of PHP 4, you can use output buffering to get around this problem, with the overhead of all of your output to the browser being buffered in the server until you send it. You can do this by calling ob_start() and ob_end_flush() in your script, or setting the output_buffering configuration directive on in your php.ini or server configuration files.

Note: The HTTP status header line will always be the first sent to the client, regardless of the actual header() call being the first or not. The status may be overridden by calling header() with a new status line at any time unless the HTTP headers have already been sent.

Note: There is a bug in Microsoft Internet Explorer 4.01 that prevents this from working. There is no workaround. There is also a bug in Microsoft Internet Explorer 5.5 that interferes with this, which can be resolved by upgrading to Service Pack 2 or later.

Note: If safe mode is enabled the uid of the script is added to the realm part of the WWW-Authenticate header if you set this header (used for HTTP Authentication).

Note: HTTP/1.1 requires an absolute URI as argument to » Location: including the scheme, hostname and absolute path, but some clients accept relative URIs. You can usually use $_SERVER['HTTP_HOST'], $_SERVER['PHP_SELF'] and dirname() to make an absolute URI from a relative one yourself:

<?php /* Redirect to a different page in the current directory that was requested */ $host = $_SERVER['HTTP_HOST']; $uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\'); $extra = 'mypage.php'; header("Location: http://$host$uri/$extra"); exit; ?>

Note: Session ID is not passed with Location header even if session.use_trans_sid is enabled. It must by passed manually using SID constant.


Issuing a 200 OK status in what might be the expected way doesn't necessarily work. I needed to override a 404 status with a 200 status in a custom error document.



<?php

header("HTTP/1.0 200 OK"); // doesn't work (at least for me)

?>



<?php

header("Status: 200 OK");  // does work

?>



All examples I could find would use the first method which wouldn't work even with the /replace/ and /http_response_code/ parameters set.



This was under Linux, PHP 5.2.2, Apache 1.3.39.

shutout2730 at yahoo dot com
22-Aug-2008 08:57


It is important to note that headers are actually sent when the first byte is output to the browser. If you are replacing headers in your scripts, this means that the placement of echo/print statements and output buffers may actually impact which headers are sent. In the case of redirects, if you forget to terminate your script after sending the header, adding a buffer or sending a character may change which page your users are sent to.



This redirects to 2.html since the second header replaces the first.



<?php

header("location: 1.html"); 

header("location: 2.html"); //replaces 1.html

?>



This redirects to 1.html since the header is sent as soon as the echo happens. You also won't see any "headers already sent" errors because the browser follows the redirect before it can display the error.



<?php

header("location: 1.html");

echo "send data"; 

header("location: 2.html"); //1.html already sent 

?>



Wrapping the previous example in an output buffer actually changes the behavior of the script! This is because headers aren't sent until the output buffer is flushed.



<?php

ob_start();

header("location: 1.html"); 

echo "send data"; 

header("location: 2.html"); //replaces 1.html

ob_end_flush(); //now the headers are sent

?>

sk89q
17-Aug-2008 08:41


You can use HTTP's etags and last modified dates to ensure that you're not sending the browser data it already has cached.



<?php

$last_modified_time = filemtime($file);

$etag = md5_file($file);



header("Last-Modified: ".gmdate("D, d M Y H:i:s", $last_modified_time)." GMT");

header("Etag: $etag");



if (@strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) == $last_modified_time ||

    trim($_SERVER['HTTP_IF_NONE_MATCH']) == $etag) {

    header("HTTP/1.1 304 Not Modified");

    exit;

}

Orca8767
11-Jul-2008 03:35


Note that if you don't want to go through the process of making sure that there is no output before you send a header, you can use



<?php

ob_start();

?>



at the beginning of your page.

This starts the output buffer, which allows you to send headers whenever you feel like it. Make sure that you put it at the BEGINNING, after the first php tag.



It allows you to do something like



<?php

ob_start();

echo 'foo';

header("Status: 404 Not Found");

echo 'bar';

?>

grom358_spamkill at yahoo dot com dot au
09-Jul-2008 02:38


The Microsoft Knowledge Base mentions the downloading of files (such as PDF) over SSL connections, and others have mentioned here. However I also had the problem over plain HTTP sending to IE7 on Windows 2003 64 edition.



I narrowed it down to the problem only occurring if you send no-store and/or no-cache in the Cache-Control header.

kc8yds at gmail dot com
08-Jul-2008 06:14


heres a fix for my last post-



IE ignores custom error pages that are less than 512 (or from what i've read 1024) bytes.



the past post broke with the release of firefox 3.0 which treats any -- inside of a html comment as a end of comment and not just --> like in the past



here the fix



just place this before any output on your custom error page--- and be sure that your custom error page includes proper html tags (it must have a </body> for this specific example to work)



<?php

// set your custom error header --- example --- header('HTTP/1.1 503 Service Unavailable');



function padding($html){

return ($padding=1024-ob_get_length()) > 0 ? str_replace('</body>','<!--'. ($padding>8?str_repeat(' ',$padding-8) :null ).'-->'."\n".'</body>',$html) : $html;

}



ob_start('padding');

?>

Yasser Khan (MYKSP)
03-Jul-2008 05:34


To get PHP to load a PDF (for example) from file, use the following code.





<?php


$filename = $_SERVER['DOCUMENT_ROOT'] . "/path/to/file/my_file.pdf";


header("Cache-Control: public");


header("Content-Description: File Transfer");


header('Content-disposition: attachment; filename='.basename($filename));


header("Content-Type: application/pdf");


header("Content-Transfer-Encoding: binary");


header('Content-Length: '. filesize($filename));


readfile($filename);


?>

kc8yds at gmail dot com
21-Jun-2008 01:43


if you use php to create custom error pages (such as header('HTTP/1.1 500 Internal Server Error');) Internet Explorer ignores you custom page unless it is at least 512 (or sometimes 1024 bytes)



for your custom error page place the following before any page output



<?php

function padding($html){

return ($padding=1024-ob_get_length())>0 ? str_replace('----',str_repeat('-',$padding+4),$html) : $html;

}

ob_start('padding')

?>



and then place this somewhere within the html error page output



<!-- ---- -->



that will auto-adjust to pad the file to 1024 bytes to override the default Internet Explorer error pages.

stevenwebster at gmail dot com
27-May-2008 04:56


These functions turn on SSL, and turn off SSL. The Redirect function is also good to use for all redirects... tries PHP, then Java, then HTML for redirects.



Here are the improved functions... had an error in the  one I posted yesterday if you guys could please delete that one.



<?php

//This works in 5.2.3

//First function turns SSL on if it is off.

//Second function detects if SSL is on, if it is, turns it off.



//==== Redirect... Try PHP header redirect, then Java redirect, then try http redirect.:

function redirect($url){

    if (!headers_sent()){    //If headers not sent yet... then do php redirect

        header('Location: '.$url); exit;

    }else{                    //If headers are sent... do java redirect... if java disabled, do html redirect.

        echo '<script type="text/javascript">';

        echo 'window.location.href="'.$url.'";';

        echo '</script>';

        echo '<noscript>';

        echo '<meta http-equiv="refresh" content="0;url='.$url.'" />';

        echo '</noscript>'; exit;

    }

}//==== End -- Redirect



//==== Turn on HTTPS - Detect if HTTPS, if not on, then turn on HTTPS:

function SSLon(){

    if($_SERVER['HTTPS'] != 'on'){

        $url = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];

        redirect($url);

    }

}//==== End -- Turn On HTTPS



//==== Turn Off HTTPS -- Detect if HTTPS, if so, then turn off HTTPS:

function SSLoff(){

    if($_SERVER['HTTPS'] == 'on'){

        $url = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];

        redirect($url);

    }

}//==== End -- Turn Off HTTPS

?>

milin_mestry at yahoo dot com
23-May-2008 09:54


Hi,



I was trying to save the '.xls' on user machine, which works correctly on

Firefox(developer friendly) but not on Microsoft's IE(Microsoft friendly);



after searching on the net, i found this code which works on both the browser.

Source link: http://www.webdeveloper.com/forum/archive/index.php/t-30248.html



here is the code:

-------------------------

<?php

// downloading a file

$filename = $_GET['path'];



// fix for IE catching or PHP bug issue

header("Pragma: public");

header("Expires: 0"); // set expiration time

header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

// browser must download file from server instead of cache



// force download dialog

header("Content-Type: application/force-download");

header("Content-Type: application/octet-stream");

header("Content-Type: application/download");



// use the Content-Disposition header to supply a recommended filename and

// force the browser to display the save dialog.

header("Content-Disposition: attachment; filename=".basename($filename).";");



/*

The Content-transfer-encoding header should be binary, since the file will be read

directly from the disk and the raw bytes passed to the downloading computer.

The Content-length header is useful to set for downloads. The browser will be able to

show a progress meter as a file downloads. The content-lenght can be determines by

filesize function returns the size of a file.

*/

header("Content-Transfer-Encoding: binary");

header("Content-Length: ".filesize($filename));



@readfile($filename);

exit(0);

?>

kenaniah at bestphp dot net
15-May-2008 08:51


If you are looking to send files such as PDFs or Excel spreadsheets or Microsoft Office documents and are having issues with IE7, IE6, or IE5.5 not being able to open/download the files over an SSL connection, but still need not allow caching, then set these two headers:

<?php

header("Cache-Control: maxage=1"); //In seconds

header("Pragma: public");

?>

Granted, this will cache your file for one second, but it's as close to an un-cached download as you can get when using IE over SSL.



Some basic info on the issue can be found here: http://support.microsoft.com/kb/812935

Patrick
08-May-2008 02:56


If you come across cache error (when trying to cache your images or other files) like this:



[code=CACHE_FILL_OPEN_FILE] An internal error prevented the object from being sent to the client and cached. Try again later.



You may try sending Cache-Control: private header at the beginning to sort that out



header('Cache-Control: private');

cduke420 at gmail dot com
02-May-2008 08:33


If you have Apache, you can setup your ErrorDocument to point 

to a php file that instructs search engines to try again in 120 seconds.  

This can be helpful when you are doing maintenance on the site.



Then in .htaccess



ErrorDocument 503 /cgi-bin/503.php 

ErrorDocument 500 /cgi-bin/503.php 



<?php

ob_start();

@header("HTTP/1.1 503 Service Temporarily Unavailable");

@header("Status: 503 Service Temporarily Unavailable");

@header("Retry-After: 120");

@header("Connection: Close");

?><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>503 Service Temporarily Unavailable</title>

</head><body>

<h1>Service Temporarily Unavailable</h1>

<p>The server is temporarily unable to service your

request due to maintenance downtime or capacity

problems. Please try again later.</p>

</body></html><?php

$g=ob_get_clean();

echo $g;

exit;

exit();

?>



See: 

http://askapache.com/htaccess/503-service-temporarily-unavailable.html

Alex J. Fierro
10-Apr-2008 12:46


As stated above, the header is important when using PHP  code to generate XML sitemaps. 



To make the sitemap, I started by adding...

AddType application/x-httpd-php .xml



to the root .htaccess file so I could run PHP in my XML files.



I then created "sitemap.xml" and wrote the code to dynamically write the sitemap.  However, when I set the XML header, I was the getting "headers already sent" error.



After toying for awhile, I solved the issue.



Although XML sitemaps should be encoded in UTF-8, the PHP was giving me header errors unless I encoded the XML file in ANSI.



So, I encoded the XML file in ANSI and set the header as...

header('Content-type: application/xml; charset="utf-8"',true);



...and it solved the issue. My sitemap now works and passes verification. Hopefully, I'm not making a mistake in encoding and this tip helps someone.

supermax at catmax dot at
22-Mar-2008 11:39


The extraneous bytes are the so called "byte order marker" which are used to differentiate between the different types of Unicode encoding (UTF8, UTF16 little/big endian).



Most editors (except Windows Notepad) can be configured to omit these 3 bytes when saving the file.

gilthans at nospam dot gmail dot com
21-Mar-2008 07:16


I've been having trouble with a simple page that simply redirects the page elsewhere. Even the simple:



<?php

Header("Location: http://www.google.com/");

?>



Wouldn't work ("Warning: Headers already sent!").

After double checking for extra spaces, I found out that because I saved the file as a UTF-8 file, and the page wasn't loaded as a UTF-8 page, so some weird character was prepended to the page. After saving the file as a windows-1252 file it worked ok. Hope this someone some headaches.

henke at henke37 dot cjb dot net
14-Feb-2008 08:50


If you are looking for a way to read the headers that the client sent to the script, the function to use is getAllHeaders.

It is not supported by all server apis.

blinki bill
12-Feb-2008 05:33


if you are planing to make a download script like this one:



<?php

$mm_type="application/octet-stream";



header("Cache-Control: public, must-revalidate");

header("Pragma: hack");

header("Content-Type: " . $mm_type);

header("Content-Length: " .(string)(filesize($fullpath)) );

header('Content-Disposition: attachment; filename="'.$filename.'"');

header("Content-Transfer-Encoding: binary\n");

                  

readfile($fullpath);

?>



you will notice that the zip files becomes invalid after download, thats because all files downloaded starts with empty line which is a problem for the zip files

This can be fixed with adding ob_start() at the beginning of the script and od_end_clean() just before the readfile()

Drew_Benton
12-Jan-2008 07:48


The importance of fully reading the docs!



If you do use the location setting of the header to redirect to another page, do not forget to throw in that "exit;" as the documents say to prevent further execution of script code. This is critical if you are redirecting to another page in response to an error.



I glazed over this small issue and found a number of "surprises" in my database when testing my registration system. The only reason I realized I was doing it wrong was when I got an email from the script saying I had registered when it was erroneous input.



Check all of your header Location's!

Edemilson Lima - pulstar at gmail dot com
17-Dec-2007 08:24


http://www.sitepoint.com/article/caching-php-performance



http://www.sitepoint.com/article/php-anthology-2-5-caching



I did find this excellent tutorial which explains in detail how to control client-side cache with headers and implement a server-side cache as well. Its examples are really useful to bring more performance to your site, but pay attention that getallheaders() and apache_request_headers() only work when PHP is running as an Apache module. Unfortunatelly, these functions are not available when PHP run as a CGI/FastCGI. May have another way to get the IF-MODIFIED-SINCE header in CGI mode, but I don't know.

razonklnbd at hotmail dot com
06-Dec-2007 12:10


i just waste 1 hour for debug a download script which is downloaded into firefox but not at IE..

i just comment following line



//header('HTTP/1.1 202 Accepted');



and its work. i don't know why but i want to share it with you all. perhaps this save someone's valuable time.

henfiber at gmail dot com
04-Dec-2007 02:19


Is there a serious problem with utf8 encoding?

Answer: no- utf8 with bom is a problem..



I spent about 10 hours trying every tip or fix suggested by users to fix the problem with " headers already sent ".



Finally I found the problem with a hex editor.



As it is previously mentioned header() should be the first statement. Moreover php opening and closing tags should be clean of spaces:



So something like this should work:



<?php

header('something ..');

?>



I had applied an authentication scheme to my pages using sessions. The encoding of my files was "utf-8". Though I 

tried cleaning everything about spaces,tabs and other dirt  through my code, I kept getting these " headers already sent errors..". The problem was in utf-8 encoding ( I don't mean the meta:http-equiv=" charset='utf-8' tag but the actual encoding of my file.) When I changed to ANSI everything worked. Actually the utf-8 encoding added three characters at the start of my file : ο»Ώ. This is called bom in utf-8. So if you are going to use utf-8 encodings to your pages and need to put php header code in these pages choose to save "utf8 without bom". (I hope your editor has such an option - I use notepad++ in win32 )

Hope it helps..

webmaster at askapache dot com
26-Nov-2007 07:55


What if you want to serve all .pdf files on your site without changing all the links to point to a php script?  The solution is to use Apache .htaccess and mod_rewrite with the php script.



[ .htaccess ]

+======================================+

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_FILENAME} -f

RewriteRule ^(.+)\.pdf$  /cgi-bin/pdf.php?file=$1 [L,NC,QSA]

+======================================+



[ PHP Script pdf.php ]

+======================================+

if(!isset($_GET['file']))die('LOGGED! no file specified');

 

$file_path=$_SERVER['DOCUMENT_ROOT'].

'/'.strip_tags(htmlentities($_GET['file'])).'.pdf';

 

if ($fp = fopen ($file_path, "r")) {

    $file_info = pathinfo($file_path);

    $file_name = $file_info["basename"];

    $file_size = filesize($file_path);

    $file_extension = strtolower($file_info["extension"]);

 

    if($file_extension!='pdf') {

        die('LOGGED! bad extension');

    }

  

    ob_start();

    header('Content-type: application/pdf');

    header('Content-Disposition: attachment; filename="'.$file_name.'"');

    header("Content-length: $file_size");

    ob_end_flush();

 

    while(!feof($fp)) {

        $file_buffer = fread($fp, 2048);

        echo $file_buffer;

    }

  

    fclose($fp);

    exit;

    exit();

} else {

    die('LOGGED! bad file '.$file_path);

}

+======================================+



original article:

http://www.askapache.com/htaccess/pdf-plugin-adobe.html

onge
26-Nov-2007 10:52


I experienced some problem with session and header('Location:') redirect. I have used session to store message to be displayed after redirect. 

For that purpose I have class that load message data from session, unset this session and print message output and this is on each page. 



There was an problem that when unset($_SESSION['name']) was there, then no data was been forewarded, if unset was commented, then everything works fine.



So, I did it that way:



<?php

header('Location: ./'); 

exit;

?>



...and it works. exit; after redirect is the key. I spent about 4 hours on that, so I hope this will save time to someone else.

Kevin
20-Nov-2007 05:33


I noticed a case where IE and Firefox behave a bit differently when you're using the header function in your scripts.  It took me a few hours to find it, so I hope this post saves someone else from the same agony...



When using the header function, it's documented quite clearly that you can't send output to the browser before sending the headers.  I found out that you can, however, send BLANK SPACES before calling the header function and get different results depending on the browser.



Apparently, IE will ignore/discard blank spaces and process headers sent using the header() function.  Firefox does NOT ignore blank space and as a result, it will ignore subsequent headers when you attempt to send them via the header() function. In my case, Firefox was rendering a completely blank page - except for probably my spaces :-)



I found the blank spaces tucked neatly between some line breaks at the end of an include file.  So if your header() calls aren't working in Firefox but they are working in IE, it's probably time to start hunting for stray space characters!



Cheers,

Kevin

php at md-x dot de
07-Nov-2007 06:49


If you want to serve files to be opend in a separate application (also PDF files displayed in the Reader and not in the IE Plugin) with the dialog open/save as/cancel :





Don't use the 





Content-disposition: attachment





and





Cache-control: no-cache





header at same time. 





Normaly the browser stores the file in a temporary directory and starts the default application for the mime-type with the path of the file as parameter. 





Problem : IE6 doesn't store because of no-cache. So the application (in my case AcrobatReader) displays the file can't be found.





Greets


  Mik

bholbrook at servillian dot com
07-Nov-2007 06:06


The first element of the header (i.e. "Location") is case sensitive depending on the browser. In IE7, <?php header("location:http://www.url.com"); ?> does not work as expected whereas <?php header ("Location:http://www.ulr.com"); ?> does work as expected.



For a full list of headers and their values go here: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

ik at dynamique dot nl
07-Nov-2007 03:52


If you want your download script to work in Safari you'll have to print quotation marks around the filename:

header('Content-Disposition: attachment; filename="'.$fileName.'"');

,otherwise Safari will just save the file as 'scriptname.php'.

Aleks
07-Nov-2007 02:06


I recently had a hair-threatening problem with Firefox and XHTML 1.0 transitional.



It worked fine with other browsers, and also with HTML 4.1.



To cut a long story short, PHP-generated JS and CSS files were still being reported by the headers as text/html, while in the HTML they were text/css and application/javascript; Firefox having been told the page was XHTML 1.0 became anal-retentive and refused to style the page. (I think the JS still worked but I fixed it anyway.)



Solution:



header('Content-type: text/css');

and

header('Content-type: application/javascript');

Anonymous
30-Oct-2007 05:22


When streaming a PDF file I would get the error "'There was an error opening this document.  This file cannot be found."  This seemed to only happen in IE6 that I'm aware of.

After changing the Content-Disposition to inline (rather then attachment) it worked properly.

Dylan at WeDefy dot com
13-Oct-2007 05:17


A quick way to make redirects permanent or temporary is to make use of the $http_response_code parameter in header().



<?php

// 301 Moved Permanently

header("Location: /foo.php",TRUE,301);



// 302 Found

header("Location: /foo.php",TRUE,302);

header("Location: /foo.php");



// 303 See Other

header("Location: /foo.php",TRUE,303);



// 307 Temporary Redirect

header("Location: /foo.php",TRUE,307);

?>



The HTTP status code changes the way browsers and robots handle redirects, so if you are using header(Location:) it's a good idea to set the status code at the same time.  Browsers typically re-request a 307 page every time, cache a 302 page for the session, and cache a 301 page for longer, or even indefinitely.  Search engines typically transfer "page rank" to the new location for 301 redirects, but not for 302, 303 or 307. If the status code is not specified, header('Location:') defaults to 302.

tyler at isimple dot net
21-Sep-2007 01:10


I was struggling with session problems for a long time today and I tried everything. Mostly when I was using a header location on IE, it wouldn't pass the vars.



For anyone who has tried everything, the thing that handled it for me was: suExec. Right when I disabled suExec sessions with headers on all browsers started working successfully.



Hope this saves some people a few hours of studious research.



Tyler

predefining at gmail dot com
15-Sep-2007 05:39


I couldn't find an example how to send a status code without the need of resolving the description (e.g. "Not found"). So I was thinking of an array containing all status codes and their descriptions but looking them up can slow down the execution of the script - depending on the array's size. I've looked for an alternative: The solution is to use the third parameter which can send a status code without the need to specify its description! header() will ONLY send the status code if the first parameter is not (!) empty.



function sendStatusCode($statusCode)

{

    header(' ', true, $statusCode);

}



sendStatusCode(404);



This will only work if you're using PHP 4.3.0 or higher. Otherwise you rely on one of the following methods:



header('Status: 404 Not Found');

header('HTTP/1.0 404 Not Found');



Best regards,

Tim

fantasysportswire at yahoo dot com
13-Sep-2007 02:52


There is a comment below that says: 



"Just a little reminder to always use exit(); ! It will save you alot of gray hairs!!!"



... just make sure you are not including that file in another script if you do that... you will gain many more gray hairs than you will ever save in that case.

ryanhanekamp at yahoo dot com
11-Aug-2007 11:10


I strongly recommend the "Live HTTP Headers" plugin for Firefox for any work when manually setting headers. (Find it in the addons section on mozilla.com) This allows you to see the headers your PHP script and server are sending, plus Firefox's request headers.



One important thing to note is a conflict with many of the scripts here, including in lasitha dot alawatta's Excel post just a few below me, is that sending multiple headers of the same type from your script does not actually cause multiple lines of output to the browser, at least for the version of PHP5 I'm running, and it's doubtful the browser would process any other than the last line anyhow.



So sending multiple "Pragma: " or "Cache-Control: " headers results in only the last one set in your script to actually be sent.



Also, it's already been pointed out, but setting "Cache-Control: Pre-Check=0, Post-Check=0" does absolutely nothing. I believe only MSIE even uses these values and it specifically IGNORES both of them when both are set to zero.



I've actually had more trouble trying to encourage caching than preventing it, because PHP sends "Cache-Control" and "Pragma" headers either always or at least always with sessions on (and I always have sessions on). The trick is to always send BOTH "Cache-Control" and "Pragma" because if they conflict it's completely up to the browser to resolve. And if you have a custom server in PHP like I'm working on right now, you'll need to sniff for $_SERVER['IF-MODIFIED-SINCE'] and serve up "HTTP/1.1 304 Not Modified" as appropriate.



If you are doing something like this and want to ensure caching of static files, the best way I found was to give an honest "Last-Modified", set an "Expires:" a reasonable time in the future (a few minutes through the year 2038, depending on what you're doing), set "Cache-Control" to "private" or "public", and stay away from "Max-Age".

Kal
29-Jul-2007 10:07


I spent a long time trying to determine why Internet Explorer 7 wasn't prompting the user to save a download based on the filename specified on a "'Content-Disposition: attachment; filename=..." header line.



I eventually determined that my Apache installation was adding an additional header: "Vary: Host", which was throwing IE - as per http://support.microsoft.com/kb/824847



I found manually setting the Vary header from within PHP as follows header('Vary: User-Agent'); allowed IE to behave as intended.



Hope this saves someone else some time,



- Kal

lasitha dot alawatta at gmail dot com
29-Jul-2007 07:15


Create MS-Excel file:





<?php





    $export_file = "my_name.xls";


    ob_end_clean();


    ini_set('zlib.output_compression','Off');


    


    header('Pragma: public');


    header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");                  // Date in the past    


    header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');


    header('Cache-Control: no-store, no-cache, must-revalidate');     // HTTP/1.1 


    header('Cache-Control: pre-check=0, post-check=0, max-age=0');    // HTTP/1.1


    header ("Pragma: no-cache");


    header("Expires: 0");


    header('Content-Transfer-Encoding: none');


    header('Content-Type: application/vnd.ms-excel;');                 // This should work for IE & Opera


    header("Content-type: application/x-msexcel");                    // This should work for the rest


    header('Content-Disposition: attachment; filename="'.basename($export_file).'"');





?>

jasper at jtey dot com
12-Jul-2007 04:30


If you are finding that header() is not working for no obvious reason, make use of the headers_sent() function to drill down to the cause of the problem.



Consider the following scenario,



<?php

// Sign out

signOut();



// Redirect back to the main page

header("Location: http://mysite.com/mainpage");

?>



If for some reason, the header() call to redirect is not working, there won't be any error messages, making it difficult to debug.  However, using headers_sent(), you may easily find the source of the problem.



<?php

// Sign out

signOut();



/*

 * If headers were already sent for some reason, 

 * the upcoming call to header() will not work...

 */

if(headers_sent($file, $line)){

    // ... where were the mysterious headers sent from?

    echo "Headers were already sent in $file on line $line...";

}



// Redirect back to the main page

header("Location: http://mysite.com/mainpage");

?>



As the documentation states, "header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP."  In the above debugging solution, you will find out exactly where any of these problematic output or blank lines exist.  You should then be able to resolve the issues with much more ease than if you hunted for the problems aimlessly.

greg dot jones at senokian dot com
21-Jun-2007 06:16


In case anyone else is having trouble:

using a web-server behind the pound load balancer, we found that trying to redirect to https://example.com for requests to http://example.com were getting into an infinite loop because pound, by default, 'fixes' changes of protocol for you. You want to set RewriteLocation to 0 to turn this behaviour off.

nobileelpirata at hotmail dot com
03-Jun-2007 12:04


This is the Headers to force a browser to use fresh content (no caching) in HTTP/1.0 and HTTP/1.1:





<?PHP


header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );


header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );


header( 'Cache-Control: no-store, no-cache, must-revalidate' );


header( 'Cache-Control: post-check=0, pre-check=0', false );


header( 'Pragma: no-cache' );





?>

Jean-Pierre
27-May-2007 01:21


You can use the Header command to force a browser to use fresh content (no caching).



However, this only works for the HTML code your code generates. When you have updated images for example (with the same filename) then there's a chance that these are still cached.



The easiest way to solve this problem I found is changing:



<?

print "<img src='yourfile.jpg'>";

?>



into:



<?

print "<img src='yourfile.jpg?".time()."'>";

?>



This adds an unique number to the url and wont hurt at all.

ludovic.goix-arobas-"google mail"
17-May-2007 08:58


When not using "exit;" after the header("Location: ..."),  the execution of the script continue below the header, until the end is reached. After this, it's doing the "Redirect". 



if($error)

{

   header("Location: http://url.com");

}



//the script continue with or without an error and execute some function that we do not want...

delete($file);



It could be important to put exit always after a Redirect.



if($error)

{

   header("Location: http://url.com");

   exit;

}



//the script continue only without error. It will execute what we want to do.

dracolytch at yahoo dot com
10-May-2007 06:00


You may find that you want to process a PHP file, and have the browser treat the output as an XML file. Unfortunately, most browsers will only do this if the file extension is ".xml"



In those situations where you can't/don't want to change your apache config to put XML files through the PHP processor, you can use the header function to change the output to something the browser will recognise as XML:



header('Content-Type: text/xml');

header('Content-Disposition: inline; filename=sample.xml');



(The inline portion helps ensure the browser renders the page itself, instead of prompting the user to download the page)



~D

greg d0t pwpp 4t gmail d0t com
02-May-2007 10:53


More on downloading files...



Here's a slight improvement to the method provided by Nick Sterling.



I tried this and it works great, but using fopen ran into memory limit problems.



By using readfile($filename), I solved this problem without having to change the ini settings.



readfile() reads a file and writes it to the output buffer.



Here's my version of the code:



<?php

$filename = "theDownloadedFileIsCalledThis.mp3";

$myFile = "/absolute/path/to/my/file.mp3";



$mm_type="application/octet-stream";



header("Cache-Control: public, must-revalidate");

header("Pragma: hack"); // WTF? oh well, it works...

header("Content-Type: " . $mm_type);

header("Content-Length: " .(string)(filesize($myFile)) );

header('Content-Disposition: attachment; filename="'.$filename.'"');

header("Content-Transfer-Encoding: binary\n");



readfile($myFile);



?>

robert [at] everah [dot] com
02-May-2007 01:24


A brief amendment to the comment by Brandon K [ brandonkirsch uses gmail ]...



The issue with IE downloading dynamic files produced on an SSL encrypted connection with the no-cache Cache Control settings affects most types of files, including .csv, .txt and all Office document types in addition to .pdf files.



This problem affects IE7 as well as IE6 and IE5.5. I haven't found a user using anything earlier so I cannot confirm if it is happening in earlier IE browsers, though I suspect it is. As far as my users have reported, this is not an issue in FF, Opera or Safari.



There is more information on this issue at http://support.microsoft.com/kb/812935 in addition to the many other MSDN reports on this same issue.

Brandon K [ brandonkirsch uses gmail ]
25-Apr-2007 09:34


I just lost six hours of my life trying to use the following method to send a PDF file via PHP to Internet Explorer 6:



<?php

header('Content-type: application/pdf');

header('Content-Disposition: attachment; filename="downloaded.pdf"');

readfile('original.pdf');

?> 



When using SSL, Internet Explorer will prompt with the Open / Save dialog, but then says "The file is currently unavailable or cannot be found.  Please try again later."  After much searching I became aware of the following MSKB Article titled "Internet Explorer file downloads over SSL do not work with the cache control headers" (KBID: 323308)



PHP.INI by default uses a setting: session.cache_limiter = nocache which modifies Content-Cache and Pragma headers to include "nocache" options.  You can eliminate the IE error by changing "nocache" to "public" or "private" in PHP.INI -- This will change the Content-Cache header as well as completely remove the Pragma header.  If you cannot or do not want to modify PHP.INI for a site-wide fix, you can send the following two headers to overwrite defaults:



<?php

header('Cache-Control: maxage=3600'); //Adjust maxage appropriately

header('Pragma: public');

?>



You will still need to set the content headers as listed above for this to work.  Please note this problem ONLY effects Internet Explorer, while Firefox does not exhibit this flawed behavior.

asaucier777 at mac dot com
21-Apr-2007 05:25


Refreshing/redirecting a/to a Page Using the "header" command in PHP.



I found the following code to help me refresh a page or really redirecting to a page after a certain number of secionds.  (I'm using php 5.x)



<?php

print(" <p align=\"center\"> User Not Found</p><br><br>");   // err msg   

 header('Refresh: 3; url=index.html'); // waits 3 seconds & sends to homepage

?>



Explaination:

1. I used php to set up a simple html message as to what is happening

2. with header, there is a command, "Refresh" and here is how it works:

    a. 'Refresh: 3;  -- start all header commands with a single quote

    b.  Refresh requires a parameter that is in seconds which tells the browser

         to refresh after this time period has passed.

    c.  The ; is necessary to separate it from the rest of the Refresh parameters

    d.   Refresh must be uppercased - I think

3. After the ; put the url= command and put in your desired web page

4. Location doesn't work! with in this context.

5. Order matters.  Refresh first, then it's second parameter, url=



--Allen

rich at pioneering-principles dot co dot uk
02-Mar-2007 12:18


I had a site where a flash swf was importing xml



The xml was parsed as php by adding

AddType application/x-httpd-php .xml to the .htaccess file of that directory.



All was working well the php was outputting the xml that the swf needed, but then we moved the site to an https domain, and internet explorer 7 stopped being able to read the xml (firefox still worked correctly).



by adding



header('Pragma: private');

header('Cache-control: private, must-revalidate');



to the xml (parsed as php) page, the problem was cured, and ie7 was able to run the swf on the https domain.

22-Feb-2007 02:34


To download anything I tried both the solutions by "Fred p" and by "info /at/ storytellermusic /dot/ nl" but neither worked.



I found that Fred P's solution worked in no browser! 

And found that the info solution worked in everything but IE!



In the end I found that the solution which allows you to download any file in any browser is the one by:



Nick Sterling

25-Jul-2006 06:17



Here's his code again if you can't find it:



<?php

$mm_type="application/octet-stream";



header("Cache-Control: public, must-revalidate");

header("Pragma: hack");

header("Content-Type: " . $mm_type);

header("Content-Length: " .(string)(filesize($url)) );

header('Content-Disposition: attachment; filename="'.basename($url).'"');

header("Content-Transfer-Encoding: binary\n");

                   

$fp = fopen($url, 'rb');

$buffer = fread($fp, filesize($url));

fclose ($fp);

                   

print $buffer;

?>



Worked in Firefox 2.0.0.1, IE 7 and Opera 9. The downloader even knows the size of the download which isn't the case with many solutions. Cheers!

philip.at.thedeejay.dot.dk
09-Feb-2007 10:22


We experienced some very odd problems with an iframe setup that used header('Location:'); somewhere in the flow.



On our Mac machines (Safari, Firefox) the whole setup just stalled, but on our XP machines (IE, Firefox, Opera) it worked just fine!



The solution to the problem was to use exit(); after the header('Location:');. Don't know if this only is a problem for our setup. Just a little reminder to always use exit(); ! It will save you alot of gray hairs!!!

Hayley Watson
28-Dec-2006 02:31


If you wish to force a file to be downloaded and saved, instead of being rendered, remember that there is no such MIME type as "application/force-download". The correct type to use in this situation is "application/octet-stream", and using anything else is merely relying on the fact that clients are supposed to ignore unrecognised MIME types and use "application/octet-stream" instead (reference: Sections 4.1.4 and 4.5.1 of RFC 2046).

Hayley Watson
28-Dec-2006 02:15


As an alternative to using header('Content-Type: ****') on almost every page, the default Content-Type (and character set, too, if needed) can be set in php.ini under the "default_mimetype" and "default_charset" entries.

mailforlindsay at gmail dot com
15-Nov-2006 11:00


Careful! This line of code cause IIS to crash on PHP 4.3.4 and maybe others.



<?

header("location:/currentfile.php"); 

// forward slash causes crash

// currentfile.php is the exact basename of this file 

?>



Learned this the hard way.

customizeit at pinstripe dot com
07-Nov-2006 06:43


When messing with custom headers, it is extremely helpful to make sure that they are actually sent to the server.  Nothing is more frustrating than discovering that some custom header was improperly formatted or not sent at all.  There is an Internet Explorer add-in called ieHTTPHeaders that I've found to be immensely useful:



http://www.blunck.info/iehttpheaders.html



Firefox (and Mozilla) users can use an equivalent tool/plugin called LiveHTTPHeaders:



http://livehttpheaders.mozdev.org/

kamermans at teratechnologies dot net
12-Oct-2006 02:49


If you are trying to send image data to a mobile phone from PHP, some models (Motorola RAZOR V3 on Cingular) for whatever reason require the "Last-Modified" header or they will not show the image.



<?php

ob_start();

// assuming you have image data in $imagedata

$length = strlen($imagedata);

header('Last-Modified: '.date('r'));

header('Accept-Ranges: bytes');

header('Content-Length: '.$length);

header('Content-Type: image/jpeg');

print($imagedata);

ob_end_flush();

?>



date('r') produces the date with the numeric timezone offset (-0400) versus Apache, which uses timezone names (GMT), but according to the HTTP/1.1 RFC, dates should be formatted  by RFC 1123 (RFC 822) which states: "There is a strong trend towards the use of numeric timezone indicators, and implementations SHOULD use numeric timezones instead of timezone names.  However, all implementations MUST accept either notation." (http://www.ietf.org/rfc/rfc1123.txt)

Michael J. Hudson
27-Sep-2006 06:12


There has been some discussion on the best way to FORCE a

refresh of a page.  In general, the solutions revolve on

reducing or eliminating caching.  However, I think that what 

some people are looking for... is how does one force a real

refresh of the page after some internal action on the page

(be it a javascript action OR a button was pressed).  I found

the following code VERY helpful when I encountered this 

need.  Specifically, I had a listbox where one could press a 

button to delete a selected entry in that listbox.  The listbox 

was dynamically linked to the contents of an external source 

only in the sense that the listbox got updated with the 

current list ONLY when the page got refreshed.  Thus, I

needed a way to force a refresh after the person pressed the 

delete button.  I did this by adding the following code after 

my actual delete action.



<?php

header( "Location: http" . 

(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] 

== "on" ? "s" : "") . "://" . 

$_SERVER['SERVER_NAME'] . ":" . $_SERVER['SERVER_PORT'] . 

( isset($_SERVER['REQUEST_URI']) ? $_SERVER

['REQUEST_URI'] . 

( $_SERVER['QUERY_STRING'] ? "?" . $_SERVER

['QUERY_STRING'] : "" ) : "" ) ); 

?>



Do note, the above code is written to be VERY generic.  

You can probably simplify it greatly if the port is a standard 

port and/or you are always using http or https and/or 

you don't expect to have a query string appended to the end.



BTW, I didn't come up this code myself...  I happened across 

it while reading the following article on auto-login techniques 

for Mediawiki: 

http://meta.wikimedia.org/wiki/

User:Otheus/Auto_Login_via_REMOTE_USER/code

aooa83(a)dsldotpipexdotcom
19-Aug-2006 11:26


apache_request_headers() is only available if PHP is running as an apache module. Various request header values are available in the $_SERVER array, for example:



$_SERVER["HTTP_IF_MODIFIED_SINCE"]



Gives the if modified date in "Sat, 12 Aug 2006 19:12:08 GMT" format.

jherman at digitalgravy dot net
17-May-2006 11:16


PHP as CGI treats header differently.



header("HTTP/1.0 404 Not Found"); returns "404 ok"



When using PHP (3,4 and 5) as CGI to return a 404 you need to use:



header("Status: 404 Not Found"); this returns "404 Not Found"



See: http://bugs.php.net/bug.php?id=27345

hervard at gmail dot com
18-Apr-2006 08:53


When using HTML forms, using the browser's back button will sometimes display a message regarding using cached data, and will ask you to refresh the page. This can be very disconcerting for some users, as they might not know whether to hit Refresh or not.





To force pages to always load the data that was entered in the form prior to hitting a submit button, and prevent the browser's cache message from displaying, use the following code:





<?php





    // Original code found at http://www.mnot.net/cache_docs/





    header("Cache-Control: must-revalidate");


    $offset = 60 * 60 * 24 * -1;


    $ExpStr = "Expires: " . gmdate("D, d M Y H:i:s", time() + $offset) . " GMT";


    header($ExpStr);





?>





This will tell the browser that the page will expire in one day, and the cached form data will be used without prompting the user at all.





I have tested this in Internet Explorer 6, Firefox 1.5, and Opera 8.51, and it works as intended. I have tried other cache-control and expiry variants, but they either do not work, or do not work in every browser. This code appears to be a winner.

nick dot b at kingstransport dot com dot au
23-Mar-2006 03:57


Constructing an absolute URL (for redirecting or other purposes) is full of pitfalls.  As well as considering the notes at http://www.php.net/manual/en/function.header.php#63006 and http://www.php.net/manual/en/function.header.php#61746 you need to consider this issue, applicable if you use ProxyPass (in apache).



Example httpd.conf

...

ProxyPass    /dir/   http: //10.1.1.1/dir/

...

Member of public   --->   Unix/Apache server  --->  IIS/PHP server

http: //nick.com/           nick.com               myphpsvr.nick.com

dir/phpinfo.php             20.10.5.1               10.1.1.1



When your script is on the IIS/PHP server, browsing from member of public, you will have script variables

<?php

// browsing from member of public

$_SERVER['HTTP_HOST'] == '10.1.1.6';

$_SERVER['HTTP_X_FORWARDED_HOST'] == 'nick.com';

$_SERVER['SERVER_NAME'] == '10.1.1.6';

?>



However, if you browse internally (like, when testing, http: //myphpsrv.nick.com/dir/phpinfo.php), the variables turn out like this

<?php

// browsing from internal, direct

$_SERVER['HTTP_HOST'] == 'myphpsvr.nick.com';

$_SERVER['SERVER_NAME'] == 'myphpsvr.nick.com';

// no $_SERVER['HTTP_X_FORWARDED_HOST']

?>



The point is, you need to test $_SERVER['HTTP_X_FORWARDED_HOST'] and use that in preference to either $_SERVER['HTTP_HOST'] or $_SERVER['SERVER_NAME'].



Nick Bishop.

URL's have intentionally been broken up to stop them being clickable.

mandor at mandor dot net
15-Feb-2006 02:14


When using PHP to output an image, it won't be cached by the client so if you don't want them to download the image each time they reload the page, you will need to emulate part of the HTTP protocol.



Here's how:



<?php



    // Test image.

    $fn = '/test/foo.png';



    // Getting headers sent by the client.

    $headers = apache_request_headers(); 



    // Checking if the client is validating his cache and if it is current.

    if (isset($headers['If-Modified-Since']) && (strtotime($headers['If-Modified-Since']) == filemtime($fn))) {

        // Client's cache IS current, so we just respond '304 Not Modified'.

        header('Last-Modified: '.gmdate('D, d M Y H:i:s', filemtime($fn)).' GMT', true, 304);

    } else {

        // Image not cached or cache outdated, we respond '200 OK' and output the image.

        header('Last-Modified: '.gmdate('D, d M Y H:i:s', filemtime($fn)).' GMT', true, 200);

        header('Content-Length: '.filesize($fn));

        header('Content-Type: image/png');

        print file_get_contents($fn);

    }



?>



That way foo.png will be properly cached by the client and you'll save bandwith. :)

denilson at vialink dot com dot br
12-Oct-2005 01:24


If you want to enable caching of your page, you have two solutions: use Etag or use Last-Modified.



Someone has already posted here the code to use Etag. However, sometimes, it is easier (better) to use Last-Modified. The full code is here:



<?php

function get_http_mdate()

{

    return gmdate("D, d M Y H:i:s",filemtime($SCRIPT_FILENAME))." GMT";

}



function check_modified_header()

{

    // This function is based on code from http://ontosys.com/php/cache.html



    $headers=apache_request_headers();

    $if_modified_since=preg_replace('/;.*$/', '', $headers['If-Modified-Since']);

    if(!$if_modified_since)

        return;



    $gmtime=get_http_mdate();



    if ($if_modified_since == $gmtime) {

        header("HTTP/1.1 304 Not Modified");

        exit;

    }

}



check_modified_header();

header("Last-Modified: ".get_http_mdate());

?>



The script checks if time from "If-Modified-Since" header is equal to current modified-time. If it is, a 304 code is returned, and PHP exits. If it is not, PHP continues normally.



You may want to change how "get_http_mdate()" function gets the time. You may want to get time from another file, or from somewhere else (like a date field on database).

jukkissh at hotmail dot com
25-Feb-2005 12:04


If you are building a download script and you are afraid of someone exploiting it, I got a solution.



Store the information of the downloadable files into a (SQL or text file) database or even in array variable in the code if your list of files is very static. You should store at least the path & filename and unique id-number. You can be creative when thinking what info to store...



Build a download script that GETs an id number and checks the database for the file with the given id. Then force download for that file, if it's found, otherwise print an error message.



Example use:

http://some.host.com/download.php?id=256

  --> Downloading file...

http://some.host.com/download.php?id=h4x.txt

  --> Error! File not found!



The force-download script can be built many ways stated in this page (in the notes at least). Pick one that forces the download well. It does not need any extra security features, because we got them already.

nickesh at o2 dot pl
21-Feb-2005 09:36


I've tried to use the script written above...

(aarondunlap.com 28-Dec-2004 11:17)

It doesn't work for PDF extenction corectly. The file is downloaded but as PHP file, not PFD.

I've removed: $ctype="application/pdf"; from the script (in: case "pdf").

Now it works, but don't ask me why.

aarondunlap.com
28-Dec-2004 11:17


I just made a function to allow a file to force-download (for a script to disallow file links from untrusted sites -- preventing mp3/video leeching on forums), and I realized that a script like that could potentially be very dangerous.



Someone could possibly exploit the script to download sensitive files from your server, like your index.php or passwords.txt -- so I made this switch statement to both allow for many file types for a download script, and to prevent certain types from being accessed.



<?php



function dl_file($file){



    //First, see if the file exists