How to disable output buffering in PHP

tl;dr version

Do two things:

1. Disable the userspace output buffer, either...

   • Globally, by either...

     • Turning off output_buffering in your php.ini, or

     • Turning off output_buffering in your Apache config using

       php_flag "output_buffering" Off
       

   • or for just the script you care about, by either...

     • calling ob_end_flush(), or
     • calling ob_end_clean()

2. Also, disable the server-level output buffer as much as you possibly can, by either:

   • calling ob_implicit_flush() at the start of your script, or
   • calling flush() after every echo statement or other statement that adds output to the response body

Longer version

Confusingly, there are two layers of buffering that may be relevant and the PHP documentation does a poor job of distinguishing between the two.

The output buffer

The first layer is usually referred to by the PHP docs as the 'output buffer'. This layer of buffering only affects output to the body of the HTTP response, not the headers. You can turn on output buffering with ob_start(), and turn it off with ob_end_flush() or ob_end_clean(). You can also have all your scripts automatically start with output buffering on using the output_buffering option in php.ini.

The default value of this option for production versions of php.ini is 4096, which means that the first 4096 bytes of output will be buffered in the output buffer, at which point it will be flushed and output buffering is turned off.

You can disable this layer of buffering globally by setting output_buffering to Off in your php.ini file (or using

php_flag "output_buffering" Off

in your Apache config, if you're using Apache). Alternatively, you can disable it for a single script by calling ob_end_clean() or ob_end_flush() at the start of the script.

The write buffer, and the webserver buffer

Beyond the output buffer is what the PHP manual refers to as the 'write buffer', plus any buffering system your web server has. If you're using PHP with Apache through mod_php, and are not using mod_gzip, you can call flush() to flush these; with other backends, it might work too, although the manual is cagey about giving assurances:

Description

void flush ( void )

Flushes the write buffers of PHP and whatever backend PHP is using (CGI, a web server, etc). This attempts to push current output all the way to the browser with a few caveats.

flush() may not be able to override the buffering scheme of your web server and it has no effect on any client-side buffering in the browser. It also doesn't affect PHP's userspace output buffering mechanism. This means you will have to call both ob_flush() and flush() to flush the ob output buffers if you are using those.

There are also a couple of ways you can make PHP automatically call flush() every time you echo anything (or do anything else that echoes output to the response body).

The first is to call ob_implicit_flush(). Note that this function is deceptively named; given its ob_ prefix, any reasonable person would expect that it would affect the 'output buffer', as do ob_start, ob_flush etc. However, this is not the case; ob_implicit_flush(), like flush(), affects the server-level output buffer and does not interact in any way with the output buffer controlled by the other ob_ functions.

The second is to globally enable implicit flushing by setting the implicit_flush flag to On in your php.ini. This is equivalent to calling ob_implicit_flush() at the start of every script. Note that the manual advises against this, cryptically citing "serious performance implications", some of which I explore in this tangentially related answer.

A rough idea to start you:

<?php   
  session_start();

  if( isset( $_GET['logout'] ) )
  {
    session_destroy();
    header('Location: ../logout.php');
    exit;
  }

  if( !isset( $_SESSION['login'] ) )
  {
    if( !isset( $_SERVER['PHP_AUTH_USER'] ) || !isset( $_SERVER['PHP_AUTH_PW'] ) )
    {
      header("HTTP/1.0 401 Unauthorized");
      header("WWW-authenticate: Basic realm="Tets"");
      header("Content-type: text/html");
      // Print HTML that a password is required
      exit;
    }
    else
    {
      // Validate the $_SERVER['PHP_AUTH_USER'] & $_SERVER['PHP_AUTH_PW']
      if( $_SERVER['PHP_AUTH_USER']!='TheUsername'
          || $_SERVER['PHP_AUTH_PW']!='ThePassword' )
      {
        // Invalid: 401 Error & Exit
        header("HTTP/1.0 401 Unauthorized");
        header("WWW-authenticate: Basic realm="Tets"");
        header("Content-type: text/html");
        // Print HTML that a username or password is not valid
        exit;
      }
      else
      {
        // Valid
        $_SESSION['login']=true;
      }
    }
  }
?>
// The rest of the page is then displayed like normal

First php has to correctly flush everything :

@ob_end_flush();
@flush();

Then, I found two working solutions:

1) Via Nginx configuration:

fastcgi_buffering off;

2) Via HTTP header in the php code

header('X-Accel-Buffering: no');