IF without else - is it secure?

pedrotuga

I use this code to verify user authentication on every file. Is it secure or should i add an ELSE after the IF and then close it in the end of the file. I can do that.. but its kind of anoying having to close it in the end all the time.

can i be 100% shure that the redirection is executed? or does this code may in some situation ( which? ) skip the redirection?

<?php
session_start();

if ($_SESSION['estadologado'] != "logado") { header("location:erro.htm"); }


$ID_docente=$_SESSION['ID_docente'];
$username=$_SESSION['username'];
$nome=$_SESSION['nome'];
?>

bpat1434

How would it skip redirection? Only if the session variable doesn't equals your check. There isn't really a way to skip it (from what I can tell) other than faking it. But if caught at the if() statement, the header() function will always fire.

If you're worried about people seeing the rest of your page if you don't get the header call to fire, just add an exit(); call after the header. That will kill the script.

laserlight

From what I understand, PHP parses the rest of the script even after the header() call is encountered. As such, you really should call die() or exit() after the location header call.

Oh, and please remember that the URI in the location header should be an absolute URL.