Something I've noticed a lot with PHP developers is how they handle session checking for users. Most people use a simple
$_SESSION['...'] check and if that fails they use a
header('location:...') redirect. I've also noticed that a lot of those same developers miss one key security flaw: not everything respects headers. Here is a small example using cURL to demonstrate what I mean.
Such an easy fix. You can see the main difference is that less_insecure.php uses
exit() to kill script execution, whereas the insecure.php doesn't. Using
exit() kills cURL before it can ignore the
header() call and render the page anyway.