Clicking a link sometimes causes Open File dialog instead of navigating to the page

I have PHP files running on a Unix server running PHP 5.3.6. These files do check a session variable as a form of securing access to them. The method has worked for me in the past and works most of the time here.

The problem I run into is sometimes when you are navigating a site, the open file dialog comes up instead of the browser navigating to that page. The file being offered for download is a php file of the same name as the one you listed, but is of 0 bytes. If you hit cancel and click the link again, often things continue working just fine. This is a problem, however, if you are submitting form information, for instance.

I have had this problem occasionally in the past, and even seen it a couple times on other corporate websites built with PHP (Facebook has done it two or three times), but not nearly as often as I get it with this particular site.

<?php

session_start();
$_SESSION['admin'] = 1;
header('Location: policy.php');

Is a portion of how the session is set (the actual credential checking left out because it's not necessary for the example).

<?php
require "../php/secure.php";

Is the top of ev开发者_Python百科ery one of the "secure" pages. The contents of secure.php are:

<?php
session_start();

if( $_SESSION['admin'] != 1 )
{
    header('Location: index.php');
}

That is the complete secure.php file, no closing ?>.

Any idea as to why this could be happening would be greatly appreciated, I cannot come up with any reason why this would be happening only some of the time and otherwise working perfectly.

Thank you.

You should use an HTTP inspector like fiddler2 or the FireFox addon TamperData to view the request and response when that is happening. Generally, one of the two following will have occurred to cause this:

1. You are sending a header which indicates that the type should be downloaded instead of displayed in the browser
2. You are writing out some data which the browser thinks it cannot render (e.g., bytes with ASCII values under 30 (0x1D), which are considered control characters and are not designed to be printed).