Suppose, I have two website first.com and second.com.
I am making a curl request from first.com by the curl. Is it, possible to know that it,s https request or http request on server second.com?
Check for $_SERVER["SERVER_PORT"] if its 80, then its a simple request, if 443 or secure protocol's port then its https.
And maybe UseCanonicalPhysicalPort = On has to set on Apache2.
http://php.net/manual/en/reserved.variables.server.php
From the manual, it seems that $_SERVER contains an indication whether this is HTTP or not.
PHP Manual
'HTTPS'
Set to a non-empty value if the script was queried through the HTTPS protocol.
Note: Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.
So checking $_SERVER["HTTPS"] should be okay, i dont have any idea whether this can be trusted or not.
Chauhan,
it's possible via PHP Global variable. you have uses $_SERVER['HTTP_REFERER'] variable in second.com.
it will return http request url.
Learn more for php global variable visit http://php.net/manual/en/reserved.variables.server.php
Related
If I start a session like below for a server and a localhost client try to request the server via HTTP, does it response with the session cookie?
or must it go through HTTPS?
I read the doc and it did say only through HTTPS, but I wonder if localhost is an exception.
session_start([
'cookie_secure' => true
]);
Yes, it does:
If you try this in a browser, you'll also see a warning saying that the cookie was rejected.
This makes sense because PHP has no control on the entire communication channel and it's possible that the end-user is connecting to a secure proxy that redirects internally to a non-encrypted HTTP server.
I am developing an Oauth 2 authentication server and I have a problem with endpoint redirection.
Here is what the RFC says that I try to follow scrupulously:
3.1.2.1. Endpoint Request Confidentiality
The redirection endpoint SHOULD require the use of TLS as described
in Section 1.6 when the requested response type is "code" or "token",
or when the redirection request will result in the transmission of
sensitive credentials over an open network.
https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2.1
Here is my question:
I know if the current request uses HTTPS with the $_SERVER ['HTTPS'] superglobal, but how do I determine if the url I'm going to redirect is using TLS
?
header("Location: $redirectUri");
Do I only rely on the protocol (https: // at the beginning of the URL)? On headers returned by a CURL request made before redirection (check the presence of the Strict-Transport-Security header) ? If not how should I do it?
PS: Normally it is not necessary but in case. Here is the complete code:
https://github.com/alexandre-le-borgne/oauth-server/blob/master/src/OAuth2/Endpoints/AuthorizationEndpoint.php#L185
My conclusion is that it is enough to check the presence of the https at the beginning of the URL.
I want to get an information from one website into a php script on another website via https. I read at www.php.net on the page of the fopen() function that this function supports HTTPS protocol.
But is it really secure SSL transmission? Is GET variable "private" value is visible on the network or not? Do I get $contents value securely?
$filename = 'https://www.somesite.com/page.php?private=45456762154';
$handle = fopen($filename , 'r');
$contents = stream_get_contents($handle);
fclose($handle);
You can check by using a tool such as Wireshark. This tool will intercept the network traffic and tell you which protocol it is travelling as, and allow you to inspect the packet contents. If it's unintelligible, it's SSL :-)
As an aside, if you're using a browser (which you're not), a similar tool is Fiddler to inspect the HTTP traffic your browser is seeing.
check out this answer, https URL with token parameter : how secure is it?
In short, it is bad idea to have secure params as GET variables because the URLs get logged at servers and gets passed around in Referer headers.
I have a load balanced dev site that I'm working out bugs for SSL on and I have ran into one last very annoying issue. On some pages I need to force it to SSL so easy enough, I just wanted to create a
header ("Location: https://www.example.com/mypage.php");
I thought that was easy enough and no worries. However, every time I do this it transforms it back to http. Well as you can figure it creates an endless loop that can't be resolved. I can't figure out how to keep that https in there so that it will pull the secure version of the page. If I navigate directly to the secure page with https it works just fine. The only issue is on this redirect.
Any help would be awesome! I'm using POUND as a load balance proxy. Apache on the web-server nodes. The SSL cert is setup at the Load Balancer.
When loadbalancing, 'internal' SSL usually goes out the door: Clients connect through a load-balancer with which you can do SSL encryption, but behind that in most loadbalancers I've seen is plain 'HTTP'. Try to get your loadbalancer to set a custom header to you indicating that there is a HTTPS connection between loadbalancer & client.
From http://www.apsis.ch/pound/index_html
WHAT POUND IS:
...
an SSL wrapper: Pound will decrypt HTTPS requests from client browsers and pass them as plain HTTP to the back-end servers.
And from more manual pages:
HTTP Listener
RewriteLocation 0|1|2
If 1 force Pound to change the Location: and Content-location:
headers in responses. If they point to the back-end itself or to
the listener (but with the wrong protocol) the response will be
changed to show the virtual host in the request. Default: 1
(active). If the value is set to 2 only the back-end address is
compared; this is useful for redirecting a request to an HTTPS
listener on the same server as the HTTP listener.
redirecting to https pages is no problem.
you can check for the port, scheme or server variable (probably server variable is the best) to see if https is on, and have it as a condition for redirecting
$_SERVER['SERVER_PORT'] == 443
parse_url($_SERVER['REQUEST_URI'],PHP_URL_SCHEME) == 'https'
$_SERVER['HTTPS'] == 'on'
but as you have an infinite loop there must be something else wrong!
try using the load blancer "balance" instead. it only takes about 5 minutes to set up, and instead of proxying, will do "real" load balancing. I would guess your proxy is currently redirecting https requests to the http address. Try making a request without using the balancer. you can do this by setting up the host name in your /etc/hosts file to point directly to a server instead of to the load balancer's IP
I would like to use a secure SSL login on my website! I have not used SSL before, so I am looking for some good reading. Can anyone tell me where I can find some sample code of SSL snippets or page code. (Not too technical)
I do have a static IP
My host is set-up to handle SSL Pages.
Interested in: Basic page code. / Tree structure. / Other
Paul
My first thought would be to simply call a function to redirect to the https: version of the current page when you need to be secure.
Some code like this:
if($requireSSL && $_SERVER['SERVER_PORT'] != 443)
{
header("HTTP/1.1 301 Moved Permanently");
header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
exit();
}
Reference
If you've an SSL enabled host, writing a login is not different to writing one without SSL - all the encryption happens at a lower layer of the protocol stack, so by the time your PHP sees the request, it's already decrypted. Similarly, your script outputs are encrypted by the HTTP server before onward transmission back to the user.
SSL happens before the request ever reaches PHP. The only impact on your PHP would be in the self-facing links you're publishing, which you'd want to switch from http://... to https://... There's a $_SERVER['HTTPS'] variable you could use to trigger this change if you'll be accepting both SSL and non-SSL connections. But if you're moving everything to SSL, you'll want to move all your links once rather than having it check on each request.