The header function is used to send raw HTTP commands over the HTTP protocols. The function takes as parameters the command, and an optional value of true or false to determine if the header should replace the previous header. If the second parameter isn't provided, the header will be replaced.

When to Call Headers

The HTTP headers must be called before anything is written to the page. This basically means ensuring that the header command is at the top of the script. Occasionally, you may be using include files which send header information, which could cause a problem if anything has been written to the page. In this case, use the output buffer commands, ob_start() to start buffering, and ob_end_flush() to end buffering. When output buffering is used, nothing is sent to the client until until the complete page is prepared on the server (or it's explicitly sent using one of the output buffering commands). You can use the headers_sent function to determine if the headers have been sent. The function returns a boolean value, TRUE if they have been sent, otherwise FALSE.

Cache Control

You can use the header function to ensure that pages are not cached by the client, or any proxy caches they go through. The Expires command should be set to a date in the past. The Cache-Contol command is used with HTTP/1.1, and the Pragma command is used for HTTP/1.0.

<?php
header("Expires: Sat, 1 Jan 2000 00:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
print "This page won't be cached";
?>

Redirecting Visitors

The Location command may be used to redirect users to another page. In HTTP/1.1, the URI must be an absolute address.

header("Location: http://www.juicystudio.com/");

You can use the server variables to find this information, and prefix a relative page name with this information. The following example tests for a cookie called, "userName" to determine if the user is logged in. If they're not, they are redirected to the login page.

<?php
if (!isset($userName))
{
    $redirect = "http://" . $HTTP_SERVER_VARS['HTTP_HOST'];
    if (dirname($HTTP_SERVER_VARS['PHP_SELF']) != "/")
        $redirect = $redirect . dirname($HTTP_SERVER_VARS['PHP_SELF']) . "/";
    $redirect = $redirect . "login.php";
    header("Location: $redirect");
    exit();
}
// Rest of page here.
?>

Basic HTTP Authentication

Basic HTTP authentication uses a simple challenge/response scheme to ensure pages are protected on the server. When the request for the page is made, the server replies with an unauthorised user (401) code in the header. On receiving the code, the browser presents the visitor with a dialog box to enter their username and password. This data is then sent to the server for authentication. If the username and password sent to the server are correct, the page will be displayed. The username and password are kept in two global variables called, $PHP_AUTH_USER, and $PHP_AUTH_PW.

The following example checks for the presence of $PHP_AUTH_USER, and $PHP_AUTH_PW. If these exist, and match the values guest/guest, the page is displayed. The example could easily be extended to validate the username and password from a file.

<?php
if ((!isset($PHP_AUTH_USER)) ||
    (!isset($PHP_AUTH_PW)) ||
    ($PHP_AUTH_USER != "guest") ||
    ($PHP_AUTH_PW != "guest"))
{
    header('WWW-Authenticate: Basic realm="Private Area"');
    header("HTTP/1.1 401 Unauthorized");
    print "This page requires authorisation.";
    exit();
}
else
{
    print "You're through to the secret page, was the effort worth it?";
}
?>