Hacking PHP: Be careful with header redirects

Something I've noticed a lot with PHP developers is how they handle session checking for users. Most people use a simple $_SESSION['...'] check and if that fails they use a header('location:...') redirect. I've also noticed that a lot of those same developers miss one key security flaw: not everything respects headers. Here is a small example using cURL to demonstrate what I mean.

Such an easy fix. You can see the main difference is that less_insecure.php uses exit() to kill script execution, whereas the insecure.php doesn't. Using exit() kills cURL before it can ignore the header() call and render the page anyway.