No output before sending headers!
Functions that send/modify HTTP headers must be invoked before any output is made. Otherwise the call fails:
Warning: Cannot modify header information - headers already sent (output started at file:line)
Some functions modifying the HTTP header are:
- header / header_remove
- session_start / session_regenerate_id
- setcookie / setrawcookie
Output can be:
Unintentional
- Whitespace before
<?phpor after?> - UTF-8 Byte Order Mark
- Previous error messages or notices
Intentional
print,echoand other functions producing output (likevar_dump)- Raw
<html>areas before<?phpcode.
Why does it happen?
To understand why headers must be sent before output it's necessary to look at a typical HTTPresponse. PHP scripts mainly generate HTML content, but also pass a set of HTTP/CGI headers to the webserver:
Whitespace before
HTTP/1.1 200 OK
Powered-By: PHP/5.3.7
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
<html><head><title>PHP page output page</title></head>
<body><h1>Content</h1> <p>Some more output follows...</p>
and <a href="/"> <img src=about:note> ...
The page/output always follows the headers. PHP is required to pass the headers to the webserver first. It can only do that once. And after the double linebreak it can't ever append to them again.
When PHP receives the first output (
print,echo,`) it will "flush" the collected headers. Afterwards it can send all the output bits it wants. But sending further headers is impossible from then.How can you find out where the premature output occured?
The
header() warning contains all relevant information to locate the problem source:Warning: Cannot modify header information - headers already sent by (output started at/www/usr2345/htdocs/auth.php:52) in /www/usr2345/htdocs/index.php on line 100
Here "line 100" refers to the script where the
header() invocation failed.
The message in the inner parenthesis is more crucial. It mentions
auth.php and line 52 as the source of premature output. One of the typical problem causes will be there:Print, echo
Intentional output from
print and echo statements will terminate the opportunity to send HTTP headers. The application flow must be restructured to avoid that. Use functions and templating schemes. Ensure header() calls occur before messages are written out.
Functions that can write output include
print, echo, printf, trigger_error, vprintf, ob_flush, var_dump, readfile, passthru among others and user-defined functions.Raw HTML areas
Unparsed HTML sections in a
.php file are direct output as well. Script conditions that will trigger a header() call must be noted before any raw <html> blocks.<!DOCTYPE html>
<?php
// Too late for headers already.
Whitespace before <?php when "somefile.php line 1" mentioned
If the message says the error is in line
1, then it is typically leading whitespace, text or HTML before the opening <?php marker. <?php
# There's a SINGLE! space/newline before <? - Which already seals it.
It can likewise occur for appended scripts or script sections:
?>
<?php
PHP actually eats up a single linebreak after close tags. But it won't compensate multiple newlines or tabs or spaces shifted into such gaps.
