Redirect without HEADER() in PHP

Question

I have the following code in PHP:

header ("Location: nopass.php?percent=$percentage&type=$type");

The form page has radio buttons which will reset to default if I go back because I am changing the page using header();

I thought using Javascript to go back would fix the issue:

<a href="javascript:history.back();">Go Back</a>

But it didn't.

Is there any workaround for the header(); to redirect without writing the header?

I am using POST method for my form.

Answer 1

This will redirect in any case, whether headers are sent or not.

function redirect($url)
{
    if (!headers_sent())
    {
        header('Location: '.$url);
        exit;
    }
    else
    {
        echo '<script type="text/javascript">';
        echo 'window.location.href="'.$url.'";';
        echo '</script>';
        echo '<noscript>';
        echo '<meta http-equiv="refresh" content="0;url='.$url.'" />';
        echo '</noscript>'; exit;
    }
}

Answer 2

The behaviour of retaining the contents of the form is a convenience facility provided by the browser, and not to do with HTTP per se.

When you use the PHP header() function to redirect, you make the page return an HTTP status of 301 or 302, which tells the browser to load the other URL instead.

The difference with the Javascript history.back() method is that you are not giving a URL, you are specifically telling the browser to take a step back through its history, just as though the user had clicked the "back" button in the toolbar. The browser is then making the decision that the form should be rendered as it was when the user left that page.

AFAIK, there is no way in HTTP of telling a User-Agent to go back in its history, because "history" is not a concept defined in raw HTTP (it is an explicitly stateless protocol). Consequently, only client-side code, i.e. Javascript, will trigger that behaviour.

Rather than trying to change the way the redirect is working, why not make it so that no redirect happens at all, and the form is simply re-displayed with the user's selections pre-populated. That way you are not relying on any particular browser behaviour.

This doesn't need to have any complex session storage, as the values will be in $_POST already, so you can just render your form elements with like <input name="foo" value="x" <?php if ( $_POST['foo'] == 'x' ) { echo 'selected'; } ?>>. This is a common way of re-displaying a form after form validation.

Answer 3

You can save your form information inside the $_SESSION, and check for this information when creating the form on your page. A rudimentary example would be to:

form.php:

<?php session_start(); //Start the Session ?>
<input type="radio" name="radios" value="value1" <?php
    /* Check if we've been submitted before */
    if (isset($_SESSION['last_submit']['radios']) && "value1" == $_SESSION['last_submit']['radios']) {
        echo "selected";
    }
?> > Value 1 </input> "
/.. more inputs ../

and in submit.php

<?php
session_start();
$_SESSION[last_submit] = (!empty($_POST)) ? $_POST : array();

Obviously, you would want to filter the POST for any XSS, identify your form so that you don't accidently pre-populate other forms, and clear the info on success, but this should give you a rough idea.