Redirecting and echo

robinjohn

Hi Everyone,
I've written a short script to kill a session variable that stores the login username of a user. The only trouble is when I try to echo and redirect at some point in the code...here's a quick n' dirty example...

<?
session_start();
if (isset($_SESSION["userID"])){
//echo 'Session already Established';
//echo "<p>You've been here too many times $userID . Thanks!</p>";

unset($_SESSION);
session_destroy();

if (!isset($_SESSION["userID"])){
	//echo 'Session Destroyed';
}

}
else{
//echo 'Nothing getting through';
}

header("Location: http://xyz.htm");
?>

Now, if I comment out the echo statements it works grand. However if I leave them in I get a

Warning: Cannot add header information - headers already sent by (output started at /blah/blah...) in /blah/blah/logout.php on line 19

It's confusing, and I don't know enough about PHP to understand that I'm doing something stupid or not. Any ideas anyone?
As far as I'm aware the only other place I'm sending Header information is in the login page....even saying that, why should it make a difference whether echo is commented in or not?

releasedj

Headers are information sent to the browser before any content.

When you use echo, your sending output to the browser, once you've sent output you can't send headers (including cookies).

So your header('Location: ...'); must appear before any output, that's including spaces.

Hope this helps,

Kelvin

robinjohn

Thanks for that, does anyone have any idea how to un-authorize HTTP authorization?

I was trying to delete the global variables for the username and password of the current user.

	unset($GLOBALS['PHP_AUTH_USER']);
                            unset($GLOBALS['PHP_AUTH_PW']);

But it seems to have no effect, when I logout, that code is run, yet when I try to click on the login button it brings me straight through in again. It is as if those two variables are not cleared.

Indeed, I can print them out!

shadedecho

I've suffered from a similar problem, in that I would like to have a way to "zero-out" or null any POST-headers in the request-object that are sent to a PHP file once I process them, so that a refresh of that page doesn't resend the POST information (like if you have a PHP script that charges a credit card or adds data to a db, it will do it every time you refresh the page, cause in IE it will say when a user clicks Refresh "Page cannot be refreshed without resending the information". It took me quite a long time to catch on to what this really means:

IE (and most likely all other browsers) are storing a request object in the memory/cache on a local computer, as they send it on to the server. IF a user then clicks refresh, the BROWSER on the local computer checks to see if there is request data for that page already (which there would be ONLY unless someone had cleared their cache since viewing the page) and then recreates the request and resends it, (if POST data is present, the user has to click "ok" in the dialog box to resend the POST data). That request object is not actually resident on or at the server, ONLY on the local computer, so there's no way for your scripts to have access to it to clear it out.

Same thing with HTTP-auth headers, they are stored locally in the cache on someone's machine, and cannot be zero'd out by the server. The only POSSIBLE way would be to have signed scripts that cleared someone's browser cache for them, but they'd have to let you do it, all the same. No beautiful way to force your (or anyone else's) info to be taken out of a visitor's cache.