ZF-5633: Wrong response code when header location is used

Issue Type: Bug Created: 2009-01-26T01:45:09.000+0000 Last Updated: 2009-10-07T06:55:17.000+0000 Status: Resolved Fix version(s): Reporter: Symetrix (symetrix) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Controller

Related issues: Attachments:


When setting location header, and when this header is not the first, the responseCode is ignore because header ($header['name'], . ': ' . $header['value'], $header['replace']) modify the response code if $header['name'] == 'location'


Posted by Travis Pew (travisp) on 2009-09-18T09:36:25.000+0000

I guess this is because for php, the location header is a special case:

{quote} The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless some 3xx status code has already been set." rel="nofollow">PHP: header - Manual {quote}

Currently: The responseCode that Zend_Controller_Response sets will depend on whether or not the location header is the first header that Zend comes across. If the location header was the first header that was set, _httpResponseCode if set will override the location header. If the location header is not the first header that was set, php's standard behavior will be followed (overriding _httpResponseCode if it was anything other than 201 or 3xx).

I don't think what Symetrix thought was a problem should be a problem but I think there is another potential problem: A user sets a responseCode, then later sets the location header (this is the only header that the user sets). The user's location header will essentially be overruled by the prior set responseCode:

<pre class="highlight">
$response = new Zend_Controller_Response_Http();
$response->setHeader('location', '<a href=""></a>');
//result = HTTP/1.1 200 OK

$response = new Zend_Controller_Response_Http();
$response->setHeader('X-test', 'test');
$response->setHeader('location', '<a href=""></a>');
//result = HTTP/1.1 302 Found

Either the httpResponseCode should be the code that is always sent back or we should let location override the response code regardless of whether it was the first or second set header.

Posted by Matthew Weier O'Phinney (matthew) on 2009-09-18T12:56:11.000+0000

Calling setHeader('Location', '...') will not set the response code (unless, of course, PHP does when it detects the Location header). If you call setRedirect(), however, you have the option of providing a response code -- and in that case, it will set the response code.

There are reasons for this. For instance, with REST, when a new item is POST'd, you should specify a "201: Created" header, but also include a "Location" header pointing to the URI for the newly created resource. If setHeader('Location', ...') actually set the response code automatically, this would be problematic

Posted by I Yu (airr) on 2009-10-07T06:55:15.000+0000

How i can fix this problem? WebDav-classes do not work with this problem.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.