PHP possible header redirection exploit?

I was thinking the other day, if someone is protecting their pages like this :

if(!$logged_in)
    {
        header("Location:http://mysite/login.php");
    }

    // protected content here

is there any way to ignore the HTTP Header redirect at the browser level and then开发者_运维百科 display the protected content that follows it ?

Yes, because using the header() function merely sets a header. The server will continue running the rest of the PHP script, rendering the protected content

You'll want to do this instead

if(!$logged_in)
    {
        header("Location:http://mysite/login.php");
        exit();
    }

Yes.

Any headers can be ignored.

You should kill the page exit() right after you redirect the user.

Not sure but the advised procedure is to follow the header with the line:

if(!$logged_in)
    {
        header("Location:http://mysite/login.php");
exit();
    }

Well, if you output data and your users ignore the header redirect (non-standard browser) - yes.