Login/Register
Emulate a 403 error page
Asked Answered
Solved phpheaderhttp-status-code-403
O

11

86

I know you can send a header that tells the browser this page is forbidden like:

header('HTTP/1.0 403 Forbidden');

But how can I also display the custom error page that has been created on the server for this type of error?

By default, just sending the header displays a white page, but I remember a while back reading that you can use the customer error page. Does anybody know?

Ocelot answered 21/2, 2011 at 2:16 Comment(0)
D
31

Include the custom error page after changing the header.

Dour answered 21/2, 2011 at 2:30 Comment(3)
I tried that as well, but things like this are not rendered: <!--#echo var="REDIRECT_STATUS" -->Ocelot
So after a lot more search and not finding anything else, I chose to include the page and just swap out the SSI commands with PHP.Ocelot
Ryan, that sounds right — to get server-side includes to work, you’d have to call out to Apache again somehow to say, “nevermind, don’t serve this request as PHP, serve 'this page' instead” — or (in a simulation of that behavior), proxying your own site by requesting that 403 page and sending the output back as the original request's response.Picker
X
82

Just echo your content after sending the header.

header('HTTP/1.0 403 Forbidden');

echo 'You are forbidden!';

forbidden

Xuanxunit answered 21/2, 2011 at 2:21 Comment(3)
I know I can do that, but how do I use the custom error template that's already setup?Ocelot
@Ryan Depends entirely on how your application is setup. It may be possible to just include it. Don't send Location header, as it will change the response code.Xuanxunit
This assumes HTTP/1.1 protocol. We now have HTTP/1.1 and HTTP/2. Don't use this.Suffix
H
79

http_response_code was introduced in PHP 5.4 and made the things a lot easier!

http_response_code(403);
die('Forbidden');
Hamon answered 25/4, 2017 at 14:44 Comment(0)
D
31

Include the custom error page after changing the header.

Dour answered 21/2, 2011 at 2:30 Comment(3)
I tried that as well, but things like this are not rendered: <!--#echo var="REDIRECT_STATUS" -->Ocelot
So after a lot more search and not finding anything else, I chose to include the page and just swap out the SSI commands with PHP.Ocelot
Ryan, that sounds right — to get server-side includes to work, you’d have to call out to Apache again somehow to say, “nevermind, don’t serve this request as PHP, serve 'this page' instead” — or (in a simulation of that behavior), proxying your own site by requesting that 403 page and sending the output back as the original request's response.Picker
S
21

For this you must first say for the browser that the user receive an error 403. For this you can use this code:

header("HTTP/1.1 403 Forbidden" );

Then, the script send "error, error, error, error, error.......", so you must stop it. You can use 

exit;

With this two lines the server send an error and stop the script.

Don't forget : that emulate the error, but you must set it in a .htaccess file, with 

ErrorDocument 403 /error403.php
Science answered 18/4, 2013 at 17:26 Comment(0)
E
11

Seen a lot of the answers, but the correct one is to provide the full options for the header function call as per the php manual

void header ( string $string [, bool $replace = true [, int $http_response_code ]] )

If you invoke with

header('HTTP/1.0 403 Forbidden', true, 403);

the normal behavior of HTTP 403 as configured with Apache or any other server would follow.

Eviscerate answered 11/12, 2016 at 4:24 Comment(0)
G
7

I have read all the answers here and none of them was complete answer for my situation (which is exactly the same in this question) so here is how I gathered some parts of the suggested answers and come up with the exact solution:

  1. Land on your server's real 403 page. (Go to a forbidden URL on your server, or go to any 403 page you like)
  2. Right-click and select 'view source'. Select all the source and save it to file on your domain like: http://domain.com/403.html
  3. now go to your real forbidden page (or a forbidden situation in some part of your php) example: http://domain.com/members/this_is_forbidden.php

  4. echo this code below before any HTML output or header! (even a whitespace will cause PHP to send HTML/TEXT HTTP Header and it won't work) The code below should be your first line!

        <?php header('HTTP/1.0 403 Forbidden');
    $contents = file_get_contents('/home/your_account/public_html/domain.com/403.html', TRUE);
    exit($contents);

Now you have the exact solution. I checked and verified with CPANEL Latest Visitors and it is registered as exact 403 event.

Georgiageorgian answered 6/10, 2015 at 18:0 Comment(4)
I can be wrong, but I'd say it just prints the php of /home/your_account/public_html/domain.com/403.php. It don't executes it.Fordone
@Pierre-OlivierVares Yes, it does not execute but it is already a static file, why would you want to execute it. If you still want to execute the included file, use include ("/home/your_account/public_html/domain.com/403.php"); instead.Georgiageorgian
Why would it necessarily be a static file ? Yourself wrote (before editing your comment) '.php' as extension, and the OP asks for SSI in his comments. If it's an .html file, of course you can just echo it. If it's a .php file, it's assumed to be dynamic - and so you can't just echo it unless you explicitly want the source code.Fordone
I couldn't work with .htaccess ErrorDocument and seems like this is the only solution that works with php header function. I recommend to put the header in a function like e.g. function error403() { //all the codes from @tarik } and just call error403() on pages you need.Autoroute
O
4

.htaccess

ErrorDocument 403     /403.html
Owner answered 21/2, 2011 at 2:31 Comment(6)
typo, it happens, (i had 404 and 403.html)Owner
Will apache directly show the error page even if it was the user who changed the header? I don't know why that won't work but I'm just wondering...Dour
@alex, sorry but that happens some timesOwner
The guys here appears to think it's not possible to let apache handle the request if you changed the header: #1501594Dour
@Ibrahim AshShohail user changes the header how? The header is generated by the server.Owner
@Dagon I meant the developer, but technically you are right. It's the server that changed the header. =0Dour
C
3

To minimize the duty of the server make it simple:

.htaccess

ErrorDocument 403 "Forbidden"

PHP

header('HTTP/1.0 403 Forbidden');

die(); // or your message: die('Forbidden');
Craunch answered 5/2, 2014 at 21:34 Comment(0)
P
2

Use ModRewrite:

RewriteRule ^403.html$ - [F]

Just make sure you create a blank document called "403.html" in your www root or you'll get a 404 error instead of 403.

Piperidine answered 1/2, 2015 at 22:46 Comment(2)
Hmm, well it kinda works. I tried it, but the REQUEST_URI variable will be set to /403.html instead of the resource you're trying to restrict. This could be confusing to users.Piperidine
Well you'll have to play with it. ModRewrite is incredibly powerful and it's definitely the solution to your problem.Piperidine
T
1

I understand you have a scenario with ErrorDocument already defined within your apache conf or .htaccess and want to make those pages appear when manually sending a 4xx status code via php.

Unfortunately this is not possible with common methods because php sends header directly to user's browser (not to Apache web server) whereas ErrorDocument is a display handler for http status generated from Apache.

Thibaut answered 27/11, 2014 at 15:22 Comment(0)
E
-1

Refresh the page after sending the 403:

<?php 
header('HTTP/1.0 403 Forbidden');
?>
<html><head>
<meta http-equiv="refresh" content="0;URL=http://my.error.page">
</head><body></body></html>
Eyebrow answered 12/10, 2014 at 6:8 Comment(1)
I don't see this as being a very good solution. Why not just send a location header if that's what you're trying to achieve.Xuanxunit

© 2022 - 2024 — McMap. All rights reserved.