Enhance redirections and make them more resilient.

Currently, if headers have already been sent, a redirection will fail and generate errors in the error log. The user will be presented with a page containing a link that he or she will need to click on. Checking if headers have already been sent we can avoid errors, and adding a simple javascript to the "onload" event in the body of the page, we can still redirect automatically. That way, only when headers have already been sent and the users have javascript disabled, they will get to see the page.

lib/SimpleSAML/Utils/HTTP.php

@@ -162,12 +162,14 @@ class HTTP
             Logger::warning('Redirecting to a URL longer than 2048 bytes.');
         }
 
-        // set the location header
-        header('Location: '.$url, true, $code);
+        if (!headers_sent()) {
+            // set the location header
+            header('Location: '.$url, true, $code);
 
-        // disable caching of this response
-        header('Pragma: no-cache');
-        header('Cache-Control: no-cache, must-revalidate');
+            // disable caching of this response
+            header('Pragma: no-cache');
+            header('Cache-Control: no-cache, must-revalidate');
+        }
 
         // show a minimal web page with a clickable link to the URL
         echo '<?xml version="1.0" encoding="UTF-8"?>'."\n";
@@ -178,7 +180,7 @@ class HTTP
         echo '    <meta http-equiv="content-type" content="text/html; charset=utf-8">'."\n";
         echo "    <title>Redirect</title>\n";
         echo "  </head>\n";
-        echo "  <body>\n";
+        echo "  <body onload=\"window.location.replace('".htmlspecialchars($url)."');\">\n";
         echo "    <h1>Redirect</h1>\n";
         echo '      <p>You were redirected to: <a id="redirlink" href="'.htmlspecialchars($url).'">';
         echo htmlspecialchars($url)."</a>\n";