Posted by Rik on 02/18/07 16:26

On Sun, 18 Feb 2007 17:02:36 +0100, turnitup <same@same> wrote:

> turnitup wrote:
>> I have a security mechanism that checks that session variables are se=
t, =

>> and if not, redirects. It seems, however, that CURL just ignores this=
=

>> statement and completely breaches my security.
>> Does anyone have any ideas how to avoid this?
>
>
> It seems that CURL ignores the redirect header. I had to put an exit =

> after that statement. Sorted now. CAVEAT REDIRECTOR!!!

Which is why redirecting should actually be done like this:

<?php
$target =3D 'http://example.com';
header("Location: $target");
print("You are being redirected to $target, click <a =

href=3D\"$target\">here</a> if you don't get redirected.");
exit;
?>

NOt only cURL, but all kinds of applications & browsers can choose not t=
o =

directly follow your location headers. If you open pages with cURL, and =
=

you want to obey redirects from the header, use:
curl_setopt($curl,CURLOPT_FOLLOWLOCATION, true);
-- =

Rik Wasmus

[Back to original message]