is there a way to filter/suppress HTML from making it to the client?

Question

i'm new to php, and i'm having a hard time establishing proper session mgmt. controls to prevent unauthorized access to a specific section of my site. I'll give an example...

myimaginarysite.com/application/index.php has a form to auth the user and it will redirect you to 'portal.php' after successful auth. 'portal.php' will check for a valid session as part of an include and then based on that it will either send u back to authenticate via header("location....) or just load up the HTML content. Now, if an unauthorized user hits 'portal.php' directly.. because they won't have a valid session.. they will get redirected back to the index, however, if you proxy the traffic you will see that the whole HTML content for 'portal.php' will actually be sent to the client (although not displayed on the browser) before redirecting back to the login page. So my question is... am I missing something, is there a way to make sure the HTML content is suppressed and is not sent to the client??

below is a snippet of my code for 'portal.php'

<?php 
include "includes/checksession.php";
?>


<html>
<body>

<a href="../status.php">Who Am I ??</a>
<br></br>
<a href="../logout.php">Log Off</a>

.....bunch of authenticated content.....

</body>
</html>

Answer 1

You need to stop script execution after sending the redirect headers with die() or exit(). Header redirection only sets the http headers, otherwise the page content is the same unless you instruct it otherwise.

Answer 2

Stopping script execution, like Juhana suggested, is probably the easiest solution for now, but there are other possibilities of course. You can just make the output conditional:

<?php 

if (checkSession())
{
  // redirect to login page
}
else
{
  // output HTML.
}

If your site grows larger, it will probably (hopefully) also be more structured. If so, it might be easier to include other page fragments. So your code could look like this at first:

if (!checkSession())
{
  include 'loginpage.php';
}
else
{
  include 'portalpage.php';
}

And eventually maybe:

if (!checkSession())
{
  ApplicationContext.setController(new LoginPageController());
}

Whatever the case, exit works fine and may be useful, especially for a case like this, but it terminates your script quite abrubtly, so it might get in the way of other processes that you may want to include, like debug-output or logging, profiling, and stuff like that.