PHP: Utilizing exit(); or die(); after header("Location: ");

I have been looking for an answer on this as well. What I found:

Why die() or exit():

If you don't put a die() or exit() after your header('Location: http://something') your script may continue resulting in unexpected behaviour. This may for example result in content being disclosed that you actually wanted to prevent with the redirect (HTTP 301). The aforementioned may not directly be visible for an end user as the browser may not render it (due to the 301). Conclusion, the exit() and die() functions stop the script from continuing.

Difference:

I also wanted to know the difference between the functions as it seems there is none. However, in PHP, there is a distinct difference in Header output. In the examples below I chose to use a different header but for sake of showing the difference between exit() and die() that doesn't matter.

Exit() in action

<?php
    header('HTTP/1.1 304 Not Modified');
    exit();
?>

Results in:

HTTP/1.1 304 Not Modified 
Connection: Keep-Alive 
Keep-Alive: timeout=5, max=100

Die() in action

<?php
    header('HTTP/1.1 304 Not Modified');
    die();
?>

Results in:

HTTP/1.1 304 Not Modified 
Connection: close

Difference

So, die() closes the connection and exit() doesn't. It depends on performance whether or not you want to keep the connection open or close it. Both have advantages and disadvantages and depends on your specific requirement(s).

HTTP persistent connections on Wiki


http://php.net/manual/en/function.exit.php

http://php.net/manual/en/function.die.php

This functions are used to interrupt script execution. You need to use exit or die to stop execution of your script after header("Location: " . getenv("HTTP_REFERER"));, because, in other case, your script will be executed till the end, what can cause some unexpected behavior.


Answer has already been accepted however it seems everyone is missing the glaring WTF in the question:

header("Location: " . getenv("HTTP_REFERER"));
  1. Returning a referer is optional on the part of the user agent

  2. it can easily be faked

  3. there is no method for telling the user the login has failed

  4. there is no HTTP semantic communication of an authentication failure

  5. while the environment variable HTTP_REFERER should be the same as the request header variable, it is not specified in RFC 3875, therefore even where presented to the webserver in the request, getenv("HTTP_REFERER") may return a different value

Tags:

Php

Exit

Die