Joined: 21 Jan 2004
Location: Northern California, USA
|Posted: Sun Feb 10, 2013 1:56 am Post subject: Security ramifications of cgi.force_redirect=0
|Here's my situation:
I am trying to set up a web application (xoops) on a local Ubuntu ("precise") server running Abyss 2.8 and PHP 5.3.10. I'm seeing a weird problem where part of the URL is being duplicated, resulting in inaccessible pages. I'm led to believe that the cgi.force_redirect option in php.ini may be the culprit (even though I have set REDIRECT_STATUS=200 in the Abyss console - what does this do?).
The php.ini file itself has this setting commented out but claims "Left undefined, PHP turns this on by default. You can turn it off here AT YOUR OWN RISK. **You CAN safely turn this off for IIS, in fact, you MUST.**"
Obviously I'm not using IIS. But the real question for me is: what are the security ramifications of setting cgi.force_redirect=0? How much and what kind of security do I sacrifice by doing this? Is this really likely to be the correct solution?
"If fifty million people say a foolish thing, it is still a foolish thing." -- Anatole France