What is php $_SERVER['REDIRECT_STATUS']?

Question

With php I can see the index "REDIRECT_STATUS" in the $_SERVER array but php.net makes no mention of it. I have a custom error page that throws a 404 but "REDIRECT_STATUS" is still 200. So What exactly is the status code referring to?

Answer 1

The php-src code suggests the documentation link, namely

<p>For more information as to <i>why</i> this behaviour exists,
see the <a href=\"http://php.net/security.cgi-bin\">\
manual page for CGI security</a>.</p>\n\

to read about CGI security. With the REDIRECT_STATUS variable - it is no HTTP Header but a variable that is passed from the web server to the CGI program, in this case the php-cgi or php-fpm process - you tell the php-cgi or php-fpm process that the request has been processed by the web server in a controlled way and not somehow else, by directly accessing these CGI scripts.

Historically you configured the web server to handle CGI binaries in a special directory - something like $DOCROOT/cgi-bin - and you made all CGI scripts accessible through some URL http://SERVERNAME/cgi-bin/.

Now, if you call a PHP CGI Program through such a (direct) URL http://SERVERNAME/cgi-bin/php-cgi/PATH_TO_PHP_SCRIPT, the default behaviour of php-cgi is to process the document /PATH_TO_PHP_SCRIPT and thus might bypass the web servers access controls. The /PATH_TO_PHP_SCRIPT Document will be processed, though the server might disallow /PATH_TO_PHP_SCRIPT, as the request already left the web server and entered the PHP process. With the help of php, such a server would leak information and you would need another access check layer for all PHP scripts.

To stop this behaviour you can configure the PHP-CGI program to only handle requests that set the REDIRECT_STATUS Header, which is impossible for an external client, to set in the direct request. Only the web server - in the middle between client and php - can set this header and the web server suggests a HTTP status - such as 200, 404, 403 or what you like - and allows PHP to process this status. But even the pure existence of this header informs the PHP process, that the request has been processed in a regular way by the web server.

Opinion: The better way to protect against such a usage would be, to configure the web server to disallow direct calls to PHP CGI through a default /cgi-bin/ path.

Answer 2

I've never used this HTTP header before but, what I can understand about the URL @Darren had posted is that you can point out all your errors (those errors who results in a 4xx or 5xx HTTP header) to just one php file. And in that php file you can know which specific error occur by accessing this REDIRECT_STATUS HTTP header.