Headers All ready SENT!!!



I got a problem with “Headers all ready sent”…

I am using a small script phpAuth for login into the members area. I tested it on my localhost, everything works fine. But when I upload to my webserver everything crashed and i get “Headers all ready sent”.

localhost: IIS6, php5.1.2
webserver: Apache/1.3.34 (Unix) PHP/4.4.2

I searched the net for possible solutions and found some. I checked for extra lines,spaces before ob_start() - none. I checked for the output_buffering to be turned On. It is On.

But still i get the error message. I dont know WHY? I am going crazy about it, i don’t know what to do… Please someone Help??


maybe this will help,

Try to find in your php code the header what is causing it. (just look for source text “header” in your php code and delete it)

this causes the error in most cases.

if using php code, the first line should start with php(session start; etc) most cases, if you have other content before the php session start etc this can also cause the problem.

maybe you can post the code, more information etc, if this does not help.



Here is more info abotu my problem.

Got 3 files:

1. Login Page:

include “phpAuth_functions.php”;
//Checking is the user did no loggged in already

<SELECT class=legalese id="Select Country" onchange=location.href=this.options[selectedIndex].value size=1 name=select-country> 

<? include "phpAuth_inc.php"; //---->Login Menu ?>
<div class="ContentContainer">


<div style="height: 1px; overflow: hidden; clear: both"></div>
<? ob_end_flush(); ?> [/php]

2. Is the phpAuth_functions.php file, which has the phpAuth_chk()


<? function phpAuth_chk() { session_start(); if(isset($_SESSION["phpAuth_username"])) { header("location: in_home.php"); } } function logout() { global $logout; session_start(); if(isset($_SESSION["phpAuth_username"])) { $logout = "Log out"; return $logout; } } function phpAuth_chk_login() { session_start(); if (!isset($_SESSION["phpAuth_username"])) { echo "You are currently not logged in. Please go to the login page"; exit; } } ?>

3. “phpAuth_inc.php” - Login Menu


<? ob_start(); ?> phpAuth from Designanet.co.uk <? if (isset($_POST["phpAuth_Submit"])) {
	include "phpAuth_config.php";
	$filename = $database_name;
if (!file_exists($filename)) {
		echo "No database exists. Please check your config file.";
} else {
	$handler = fopen($filename,'r');
	$members = file_get_contents($filename);
	// get username and password
	$users_array = explode ("n",$members);
	foreach ($users_array as $users) {
		if ($users != "" || $users != NULL) {
			// break username and password string into seperate variables.
			list($username,$password) = explode("t",$users);
			if ($_POST["phpAuth_usr"] == trim($username) && md5($_POST["phpAuth_pwd"]) == trim($password)) {	

				$logged_in = 1;
			} else {
				$logged_in = 0;
		} else {
	} // end foreach
	if ($logged_in != 1) { // IF USER IS NOT LOGGED IN
		echo "Error! Incorrect Details. <a href="".$_SERVER['HTTP_REFERER']."">Go Back</a>";
	} else { // ELSE LOGGED IN			
		$_SESSION["phpAuth_username"] = $_POST["phpAuth_usr"];
		$_SESSION["phpAuth_password"]  = $_POST["phpAuth_pwd"];
			if ($_POST["phpAuth_rm"] == 1) {
		header('Location: '.$login_redirect.'');


} else {


Remember Me
Not Registered? Register Here
<? } ?> <? ob_end_flush(); ?> [/php]

Else i post the some of the php.ini core

PHP CoreDirective Local Value Master Value
allow_call_time_pass_reference On On
allow_url_fopen On On
always_populate_raw_post_data Off Off
arg_separator.input & &
arg_separator.output & &
asp_tags Off Off
auto_append_file no value no value
auto_prepend_file no value no value
browscap no value no value
default_charset no value no value
default_mimetype text/html text/html
define_syslog_variables Off Off
disable_classes no value no value
disable_functions no value no value
display_errors Off Off
display_startup_errors Off Off
doc_root no value no value
docref_ext no value no value
docref_root no value no value
enable_dl On On
error_append_string no value no value
error_log /var/log/php.log /var/log/php.log
error_prepend_string no value no value
error_reporting 2039 2039
expose_php On On
extension_dir ./ ./
file_uploads On On
gpc_order GPC GPC
highlight.bg #FFFFFF #FFFFFF
highlight.comment #FF9900 #FF9900
highlight.default #0000CC #0000CC
highlight.html #000000 #000000
highlight.keyword #006600 #006600
highlight.string #CC0000 #CC0000
html_errors On On
ignore_repeated_errors Off Off
ignore_repeated_source Off Off
ignore_user_abort Off Off
implicit_flush Off Off
include_path .: .:
log_errors Off Off
log_errors_max_len 1024 1024
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
max_execution_time 30 30
max_input_time -1 -1
memory_limit 16M 16M
open_basedir no value no value
output_buffering On no value
output_handler no value no value
post_max_size 8M 8M
precision 14 14
register_argc_argv On On
register_globals Off Off
report_memleaks On On
safe_mode On On
safe_mode_exec_dir /usr/local/bin /usr/local/bin
safe_mode_gid Off Off
safe_mode_include_dir no value no value
sendmail_from me@localhost.com
sendmail_path /usr/sbin/sendmail -t -i http://phphelp.com/forums/viewtopic.php?t=2752 for Posting Guidlines[/b]


the error message “Headers all ready sent” there should be more information in the message like “Headers all ready sent on line 15” etc. Php should say where the error is. And checking the line, you can recover the line in your php code and fix it.

also the error can be if before the php, the one line in the header is empty, like

2.<?php session start?>


On your LOGIN Page. You check check if the user is already logged in. If they are you redirect them (via the isset and header in the phpAuth_functions.php file). If they are not logged in you then present them with the rest of the login page. Here is the problem. In the rest of the login page, you include phpAuth_inc.php. which apparently has the login menu. However, you send the ob_start AGAIN and html has already been sent.

Additionally you are sending Doctype and html and head tags AGAIN. If this is a standalone page then it probably would not be a problem, however, since it’s an included page, I think this is a good place to start.


reciever - The error message doesn’t give a lot of info, since on my webserver php.ini the error_display is turned Off, I use the following code to check the headers:
function g_redirect($url,$mode,$session)
/* It redirects to a page specified by “$url”.

  • $mode can be:
  • LOCATION: Redirect via Header “Location”.
  • REFRESH: Redirect via Header “Refresh”.
  • META: Redirect via HTML META tag
  • JS: Redirect via JavaScript command
    if (strncmp(‘http:’,$url,5) && strncmp(‘https:’,$url,6)) {
 $starturl = ($_SERVER["HTTPS"] == 'on' ? 'https' : 'http') . '://'.
             (empty($_SERVER['HTTP_HOST'])? $_SERVER['SERVER_NAME'] :

 if ($url[0] != '/') $starturl .= dirname($_SERVER['PHP_SELF']).'/';

 $url = "$starturl$url";


switch($mode) {

 case 'LOCATION': 

   if (headers_sent()) exit("Headers already sent. Can not redirect to $url");

   echo header("Location: $url");

 case 'REFRESH': 

   if (headers_sent()) exit("Headers already sent. Can not redirect to $url");

   header("Refresh: 0; URL="$url""); 


For the extra lines and spaces I checked and rechecked the script… i don’t know many hundred times, with differente application notepad,notepad++, rapidphp, html_pad, frontpage, etc. I didn’t find any… :frowning:

I check ur 2 advice. I deleted the Doctype html and head tags. Left just the body. No changes.

I got a question… In my php.ini I got the output_buffering On, just for the local value. But the Master Value is “no value”. Could this be the problem? Is the local value overrided by the Master Value?


Your LOGIN PAGE contains the problem. It’s NOT the checking to see if anyone is logged in at the beginning. It’s the Menu Generation later on in tje included page of phpAuth_inc.php. This include page also has an ob_start function.

Unfortunately if you removed the ob_start() (and the checking for logged in) at the beginning of the login page, I think you made the problem worse.

I don’t use the output buffering, I try to make sure I have sent all my headers stuff first, but I suspect by removing the ob_start on the login page and then leaving the ob_start on the included page, you have created a different issue.

My logic would be that (as it was before you changed it)

  1. output buffering enabled/started
  2. Function checks for login and redirects if user is logged in to login area.
  3. otherwise login page shown.
  4. Login page “includes” login menu from phpAuth_inc.php
  5. phpAuth_inc.php contains ANOTHER ob_start. This ob_start FLUSHES the first ob_start releasing the html already in the buffer. Now no more header info can be sent.
  6. ob_start in phpAuth_inc.php would seem to indicate that more header information needs be sent. – ERROR!

Now that you have changed it, you get part of the login page (sent as HTML) and then you “Include” phpAuth_inc.php which has an ob_start which would seem to indicate that more header information needs be sent. – ERROR!

I would put your login check BACK in the login page.
Remove the ob_start in phpAuth_inc.php

As a final note, I would actually recommend that you put ALL your session stuff (cookies, login checks, etc), in an included sessions file at the beginning of your page and not nested in to some other page. Then based on some variables set in the session (which are accessible to the other pages) you could then make logic decisions.


Finally i managed to solve the problem.
At the end the problem was that my webserver did not turn on the “mbstring” support. I discovered this while editing and uploading the original “phpAuth_inc.php” which was encoded in ANSI, and I reencoded it in UTF-8. Everything worked fine when I was using the original file (ANSI), but if I was using the UTF-8 encoded file, everything would stop working.

I guess the problem was that the UTF-8 enconding adds some extra bytes at the beginnning of the plain-text file. And these extra byteS cause the ob_start () function to fail.

Thank you All!!! :)