Force SSL only on certain pages with PHP - php

I have found a solution for setting one page on my WordPress site to use https though I am trying to apply the ssl to two pages instead of one. I have tried various if or statements, but can't seem to get the syntax correct.
Below is my if statement that works perfectly on one page:
if (!empty($_SERVER['HTTPS']) && !empty($_SERVER['REQUEST_URI']))
{
if ($_SERVER['HTTPS'] == 'on' && $_SERVER['REQUEST_URI'] != '/bill-pay/')
{
header("Location:http://example.com{$_SERVER['REQUEST_URI']}", 301);
exit;
}
elseif ($_SERVER['HTTPS'] != 'on' && $_SERVER['REQUEST_URI'] == '/bill-pay/')
{
header("Location: https://example.com{$_SERVER['REQUEST_URI']}", 301);
exit;
}
}
For the sake of clarity, I have only added my version that works for one page.


Keep in mind that only securing part of the site effectively means almost no security at all. Via MITM or other vulnerabilities an attacker can easily rewrite the links to the secure pages to outside pages under control of the attacker.
Remember, SSL is not only about a secure connection but also about proving who you (=your site) really are. Please, do secure your whole site, run it through SSL Labs, follow its recommendations. It's better for everyone, especially your customers.


Would have thought a straight-forward...
if (!empty($_SERVER['HTTPS']) && !empty($_SERVER['REQUEST_URI']))
{
if ($_SERVER['HTTPS'] == 'on' && !($_SERVER['REQUEST_URI'] == '/bill-pay/' || $_SERVER['REQUEST_URI'] == '/other-page/'))
{
header("Location:http://example.com{$_SERVER['REQUEST_URI']}", 301);
exit;
}
elseif ($_SERVER['HTTPS'] != 'on' && ($_SERVER['REQUEST_URI'] == '/bill-pay/' || $_SERVER['REQUEST_URI'] == '/other-page/'))
{
header("Location: https://example.com{$_SERVER['REQUEST_URI']}", 301);
exit;
}
}
... should do the trick
Edit
This code might be more appropriate, given the comments:
if (isset($_SERVER['REQUEST_URI']) && ($_SERVER['REQUEST_URI'] == '/bill-pay/' || $_SERVER['REQUEST_URI'] == '/other-page/'))
{
if (!isset($_SERVER['HTTPS']) || empty($_SERVER['HTTPS']))
{
header("Location: https://example.com{$_SERVER['REQUEST_URI']}", 301);
exit;
}
}
else
{
if (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']))
{
header("Location: http://example.com{$_SERVER['REQUEST_URI']}", 301);
exit;
}
}
Remember empty() resolves to false if the value is not set ;)

Related

Target child directory with php

I am running an argument based on urls to determine whether a user can access that area or not of the site. Is there a better way to instead of listing our every url just say anything after / cant be access. Here is my code it will better explain the problem:
if( $siteUrl == '/shop-portal/' && $userRole == 'customer'){
header('Location: http://mywebsite.co.uk/');
} elseif( $siteUrl == '/product-category/...' && $userRole == 'customer'){
header('Location: http://mywebsite.co.uk/');
}
so where I have /product-category/ isa there a way instead of writing out '/product-category/category1 etc etc every time can I just create one argument? Like anything after '/product-category/...' gets redirected?

I figured it out, here if any one else needs to see it:
if(strpos($siteUrl, 'shop-portal') !== false && $userRole == 'customer'){
header('Location: http://mywebsite.co.uk/');
} elseif(strpos($siteUrl, 'product-category') !== false && $userRole == 'customer'){
header('Location: http://mywebsite.co.uk/');
}
I changed up the query to check if the string exists in the url!

PHP conditional redirect always redirects to the same page

I have two domains and need to make a entry script so i can determine which site the user is coming for and redirect them to the correct part of the site but it just directs to the first link
<?php
if($_SERVER['HTTP_HOST'] == 'neonbacon.com' || 'www.neonbacon.com')
{
header("Location: http://neonbacon.com/client");
}
else if($_SERVER['HTTP_HOST'] == 'scarletgamers.com' || 'www.scarletgamers.com')
{
header("Location: http://scarletgamers.com/home");
}else
{
echo 'Error 1';
}
?>

It's an order-of-operations issue. You are asking if either
$_SERVER['HTTP_HOST'] == 'neonbacon.com'
or
'www.neonbacon.com'
...is true. The second one will always be true, since it's just a string. So therefore, it'll always execute that if block.
Try this:
if($_SERVER['HTTP_HOST'] == 'neonbacon.com' || $_SERVER['HTTP_HOST'] == 'www.neonbacon.com')
and:
else if($_SERVER['HTTP_HOST'] == 'scarletgamers.com' || $_SERVER['HTTP_HOST'] == 'www.scarletgamers.com')

Php https request for a page

I was trying to use this code:
if($_SERVER['HTTP_PORT'] !== 443 && !isset($_SERVER['HTTPS'])) {
header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
exit;
}
to make my login page and register page contain https to use the ssl to make sure that everything is secure, but when I run the page an error message shows up Undefined index error using $_SERVER['HTTPS']
so I decided to use another one:
if ( isset( $_SERVER["HTTPS"] ) && strtolower( $_SERVER["HTTPS"] ) == "on" ) {
$pageURL .= "s";
}
but it didn't work. The https didn't show up and http is only there...
any idea how to do that with php...
Thanks
The solution is:
if($_SERVER["HTTPS"] != "on")
{
header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
exit();
}

From the manual:
$_SERVER['HTTPS']
Set to a non-empty value if the script was queried through the HTTPS protocol.
Therefore, you should be using the following condition to check for an HTTPS connection:
if(!empty($_SERVER['HTTPS']))
{
// https://...
}

You'd better use $_SERVER['SERVER_PORT'].
HTTP_PORT doesnt always return the portnumber.

Identify whether the current url is http or https in a project

I have a website in Zend framework. Here I want to identify whether the current URL contains HTTPS or HTTP? I have used the following code
if($_SERVER['HTTPS']==on){ echo "something";}else{ echo "something other";}
But the result is not correct. Is there is any other way to identify this?
Also I have one more question.
How to get complete current url (including HTTP/HTTPS) using php?
Please help me
Thanks in advance

if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
echo "something";
} else {
echo "something other";
}
notice the on should be a string .

You could use methods that are already defined in Zend Framework instead of explicitly using $_SERVER superglobals.
To determine if the connection is HTTP or HTTPS (this code should go into your controller):
if ( $this->getRequest()->isSecure() ) { echo 'https'; } else { echo 'http'; }
To get complete current url:
$this->getRequest()->getScheme() . '://' . $this->getRequest()->getHttpHost() . $this->getRequest()->getRequestUri();

The better way to check is
if (isset($_SERVER['HTTPS']) && $_SEREVER['HTTPS'] != 'off')
{
//connection is secure do something
}
else
{
//http is used
}
As stated in manual
Set to a non-empty value if the script
was queried through the HTTPS
protocol.
Note: Note that when using ISAPI with IIS, the value will be off if the
request was not made through the HTTPS
protocol.

you need to fix check it should be
if ($_SERVER['HTTPS'] == 'on')
or try following function
if(detect_ssl()){ echo "something";}else{ echo "something other";}
function detect_ssl() {
return ($_SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] == 1 || $_SERVER['SERVER_PORT'] == 443)
}

This will both check if you're using https or http and output the current url.
$https = ((!empty($_SERVER['HTTPS'])) && ($_SERVER['HTTPS'] != 'off')) ? true : false;
if($https) {
$url = "https://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
} else {
$url = "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
}

Use PHP to check if page was accessed with SSL

Is there a way to check if the current page was opened with SSL? For example, I want my login page (login.php) to check if it was accessed using SSL (https://mywebserver.com/login.php). If not, redirect them to the SSL version of the page.
Pretty much, I want to enfore that the user uses the page securely.

You should be able to check that $_SERVER['HTTPS'] is set, e.g.:
if (empty($_SERVER['HTTPS'])) {
header('Location: https://mywebserver.com/login.php');
exit;
}

Be careful. On my IIS server, $_SERVER['HTTPS'] is not empty but has the value 'off'.
So i had to do
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
// no SSL request
}

You'll find this may not work if you are working over forwarded protocols. For example, Amazon's ELB can handle SSL negotiation and interact with your app servers over port 80.
This block handles that:
public function isSSL()
{
if( !empty( $_SERVER['https'] ) )
return true;
if( !empty( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' )
return true;
return false;
}

Well, Here is another chunk of code. The code will return full url with https/http.
<?php
/**
* Check whether URL is HTTPS/HTTP
* #return boolean [description]
*/
function isSecure()
{
if (
( ! empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
|| ( ! empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
|| ( ! empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on')
|| (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443)
|| (isset($_SERVER['HTTP_X_FORWARDED_PORT']) && $_SERVER['HTTP_X_FORWARDED_PORT'] == 443)
|| (isset($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https')
) {
return true;
} else {
return false;
}
}
/**
* Example Use
*/
define('APP_URL', (isSecure() ? 'https' : 'http') . "://{$_SERVER['SERVER_NAME']}".str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']));
echo APP_URL;
/**
* +++++++++++++++++++++++++
* OR - One line Code
* +++++++++++++++++++++++++
*/
define('APP_URL', ((( ! empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || ( ! empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') || ( ! empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') || (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443) || (isset($_SERVER['HTTP_X_FORWARDED_PORT']) && $_SERVER['HTTP_X_FORWARDED_PORT'] == 443) || (isset($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https') ) ? 'https' : 'http') . "://{$_SERVER['SERVER_NAME']}".str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']));
echo APP_URL;
?>

<?php
if ( !empty( $_SERVER['HTTPS'] ) ) {
//do secure stuff
}else{
//warn or redirect or whatever
}
?>
http://php.net/manual/en/reserved.variables.server.php

Another method is to check for the existence of HTTPS cookies. First your server needs to send the browser a cookie with the secure flag:
Set-Cookie:some_key=some_value;secure
After your server has sent the browser the cookie, whenever the browser requests a page from your server, it will send along the secure cookie some_key=some_value only if it is requesting a HTTPS page. This means that if you see the existence of the cookie some_key=some_value you know that the browser is requesting a HTTPS page. Voila!
Browser support is very good, as this is fundamental to security. Browsers without support for HTTPS cookies are Firesheepable when users request pages from non-HSTSed domains.
For more info, see:
https://httpsnow.org/help/securecookies
https://www.owasp.org/index.php/SecureFlag#Overview
https://stackoverflow.com/a/13730187/632951
https://security.stackexchange.com/q/100/2379

Just to add that in case of nginx, the way to check for https is:
if (isset($_SERVER['SERVER_PORT']) &&
($_SERVER['SERVER_PORT'] === '443')) {
return 'https';
}

To use PHP to check if the page was accessed without SSL you can check the port number.
// Most encrypted web sites use port 443
if ($_SERVER['SERVER_PORT']==443) {
// Tell browser to always use HTTPS
header('strict-transport-security: max-age=126230400');
}
elseif (isset($_SERVER['SERVER_PORT'])) {
// Redirect current page to https with 301 Moved Permanently response
header('location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'], true, 301);
exit;
}
This assumes your server is configured with the SERVER_PORT environment variable and that the encrypted version of your web site is hosted on port 443. It also assumes your server is not behind a load balancer. If your server is behind a load balancer, you might need a more advanced solution such as this one that does not rely on custom HTTP headers which can vary from one load balancer to the next:
// Set secure cookie to detect HTTPS as cookie will not exist otherwise.
header('set-cookie: __Secure-https=1; expires='.substr(gmdate('r', ($_SERVER['REQUEST_TIME']?: time())+126230400), 0, -5).'GMT; path=/; secure', false);
// Tell browser to always use HTTPS
header('strict-transport-security: max-age=126230400');
if (!isset($_COOKIE['__Secure-https']) && !isset($_GET['https'])) {
// Redirect to secure version of site and add https=1 GET variable in case cookies are blocked
header('location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'].(strpos($_SERVER['REQUEST_URI'], '?')===false? '?': '&').'https=1', true, 307);
exit;
}
If the above solution is problematic because it adds ?https=1 to your URL then you can always use JavaScript. Add this to the top of your page right after <head>:
<script>
// This will redirect all requests from http to https
if (location.protocol=='http:') {
location.replace('https://'+location.host+location.pathname+location.search)
document.write('<noscript>');// hack to stop page from displaying
}
</script>
Then add the following to your PHP script if you want browsers to remember to always use HTTPS when accessing your site:
header('strict-transport-security: max-age=126230400');
or if you want browsers to have your preferences preloaded use:
header('strict-transport-security: max-age=126230400; preload');// HTTPS will always be used!
If you use the preload feature you will need to submit your web site to be included in Chrome's HSTS preload list so that browsers come preloaded with your web site preferences. If you use preload, it's also advisable to host your site on the naked domain without the www. This is because it's usually easier for most people to type in your domain without the www, and with preload your web site loads without the need of a tedious redirect since https is already the default.

Detect server side SLL with some additions:
function detectSSL(): ?bool {
// check HTTPS protocol
if( isset($_SERVER['HTTPS']) ) {
if( 'off' !== strtolower($_SERVER['HTTPS']) ) {
return true;
}
if( 1 === (int)$_SERVER['HTTPS'] ) {
return true;
}
}
if( isset($_SERVER['HTTP_X_FORWARDED_SSL']) ) {
if( 'on' === $_SERVER['HTTP_X_FORWARDED_SSL'] ) {
return true;
}
}
if( isset($_SERVER['HTTP_X_FORWARDED_PORT']) ) {
if( 443 === (int)$_SERVER['HTTP_X_FORWARDED_PORT'] ) {
return true;
}
}
if( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) ) {
if( strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https' ) {
return true;
}
}
if( isset($_SERVER['REQUEST_SCHEME']) ) {
if( strtolower($_SERVER['REQUEST_SCHEME'] === 'https') ) {
return true;
}
}
// check server port
if( isset($_SERVER['SERVER_PORT']) ) {
if( 443 === (int)$_SERVER['SERVER_PORT'] ) {
return true;
}
}
// non-SSL
return null;
}
// Set URI prefix
define('uri_prefix', detectSSL() ? 'https://' : 'http://');
define('site_host', strtolower(uri_prefix . $_SERVER['HTTP_HOST']));
And addition for .htaccess:
# SSL schema off
RewriteCond %{HTTPS} off
RewriteRule .* - [E=REQUEST_SCHEME:http]
# SSL schema
RewriteCond %{HTTPS} on
RewriteRule .* - [E=REQUEST_SCHEME:https]

Categories