boozelclark Posted November 1, 2010 Share Posted November 1, 2010 I understand that this is a header error but i still do not know how to fix it. I am trying to create a login box that is in the top right corner of my site. Once the user uses it to log in they need to be redirected to the account page. i include the login_box.php file in the appropriate div. however the file uses header("Location: account.php"); to redirect the user. because this file is included after the header i receive Warning: Cannot modify header information - headers already sent by (output started at C:\xampp\htdocs\index.php:17) in C:\xampp\htdocs\layout_inc\login_box.php on line 76 What would be the correct way to do this. My code is bellow. Thank you in advance <?php //Forms posted if(!empty($_POST)) { $errors = array(); $username = trim($_POST["username"]); $password = trim($_POST["password"]); $remember_choice = trim($_POST["remember_me"]); //Perform some validation //Feel free to edit / change as required if($username == "") { $errors[] = lang("ACCOUNT_SPECIFY_USERNAME"); } if($password == "") { $errors[] = lang("ACCOUNT_SPECIFY_PASSWORD"); } //End data validation if(count($errors) == 0) { //A security note here, never tell the user which credential was incorrect if(!usernameExists($username)) { $errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID"); } else { $userdetails = fetchUserDetails($username); //See if the user's account is activation if($userdetails["Active"]==0) { $errors[] = lang("ACCOUNT_INACTIVE"); } else { //Hash the password and use the salt from the database to compare the password. $entered_pass = generateHash($password,$userdetails["Password"]); if($entered_pass != $userdetails["Password"]) { //Again, we know the password is at fault here, but lets not give away the combination incase of someone bruteforcing $errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID"); } else { //Passwords match! we're good to go' //Construct a new logged in user object //Transfer some db data to the session object $loggedInUser = new loggedInUser(); $loggedInUser->email = $userdetails["Email"]; $loggedInUser->user_id = $userdetails["User_ID"]; $loggedInUser->hash_pw = $userdetails["Password"]; $loggedInUser->display_username = $userdetails["Username"]; $loggedInUser->clean_username = $userdetails["Username_Clean"]; $loggedInUser->remember_me = $remember_choice; $loggedInUser->remember_me_sessid = generateHash(uniqid(rand(), true)); //Update last sign in $loggedInUser->updateLastSignIn(); if($loggedInUser->remember_me == 0) $_SESSION["userCakeUser"] = $loggedInUser; else if($loggedInUser->remember_me == 1) { $db->sql_query("INSERT INTO ".$db_table_prefix."Sessions VALUES('".time()."', '".serialize($loggedInUser)."', '".$loggedInUser->remember_me_sessid."')"); setcookie("userCakeUser", $loggedInUser->remember_me_sessid, time()+parseLength($remember_me_length)); } //Redirect to user account page header("Location: account.php"); die(); } } } } } if(!isUserLoggedIn()) {?><form name="newUser" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post"> <table> <tr> <td> <label>Username:</label> </td> <td> <input type="text" name="username" /> </td> </tr> <tr> <td> <label>Password:</label> </td> <td> <input type="password" name="password" /> </td> </tr> <tr> <td> <label> </label> <input type="submit" value="Login" class="submit"/> </td> <td> <input type="checkbox" name="remember_me" value="1" /> <label style="font-size:12px">Remember Me?</label> </td> </tr> </table> <div style="text-align:center;"> <a href="register.php" class="info">Register</a> | <a href="forgot-password.php" class="info">Forgot Password?</a> </div> </form><?php } else{?><h1>Welcome <?php echo $loggedInUser->display_username; ?> </h1> <br/> <a href="account.php" class="info">Dashboard</a> | <a href="logout.php" class="info">Logout</a><?php } ?> Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 1, 2010 Share Posted November 1, 2010 You can't allow anything, not even whitespace, to be output to the browser before attempting to send headers. You should rework the logic to send any headers first. Also, you should not use action="<?php echo $_SERVER['PHP_SELF'] ?>" as a form action as it presents a known XSS vulnerability. Instead, use action="", or explicitly name the script. Quote Link to comment Share on other sites More sharing options...
boozelclark Posted November 1, 2010 Author Share Posted November 1, 2010 Thanks for your help. I managed to fix it by putting the code in another file and reworking the logic. Thanks for the security tip. Quote Link to comment Share on other sites More sharing options...
elmas156 Posted November 1, 2010 Share Posted November 1, 2010 I recently had the same problem and it was really a pain because I had written several pages incorrectly and I had to go back and basically rearrange the code to make it correct. What you have to do is take the part of the code that is processing your sign in form, including the header that is redirecting the user to the account page, and move it all to the top of the code, before the <html> tag. If you do this, everything should work fine. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.