My server provides SSL connections via https, although the certificate costs extra...
Is there anything that needs to be changed in the PHP code to utilize this protocol?
My site has:
ajax forms via POST
regular forms and pages using POST and GET parameters
Session variables
You should be good to go. PHP does not impact the use of SSL or not.
Things you should check are:
Are all URLS in you application relative (no http://)
Are assets (CSS/JS/IMG) used in your site (both from internal and external sources) also as relative paths or prefixed with https://
Having an asset without https:// in a SSL powered site, the browsers will warn you visitors that something ain't right.
you can use the server .htaccess file to redirect all your links. So when the standard page is opened via say a link the server redirects to the https version...
# Permanent reirect ALL old pages to HTTPS:
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Other than any hard-coded URLs, no, your code shouldn't know about the difference, nor care.
I'd have to say the same as mvbrakel, but as far as session cookies/cookies you will want to turn on HTTPS only if you are using https on ALL your pages.
Also adding HTTP only to cookies, js scripts won't be able to check value and such.
The code does not need to be changed, other than to change all links from http:// to https:// (seriously, don't forget that, else you aren't using SSL...)
Related
How do I definitively and totally stop WordPress from rewriting all URLs from HTTP to HTTPS?
I need to set it up on a testing server and run there without an SSL certificate on an internal-only server so I can test PHP 7.2 which is breaking my live WP site with my plugin mix.
I have got a copy of the site on a different server but I simply cannot get it to STOP using HTTPS on every single link – it currently fails to load as it keeps requesting HTTPS but there is no certificate or set up loaded on the testing server to use HTTPS and apache isn't even listening on port 443 on that testing server.
Already changed the WP_HOME and WP_SITEURL in wp-config.php to refer to HTTP, and used the test server’s IP instead of the site domain name. Also put in
define(‘FORCE_SSL_ADMIN’, false);
define(‘FORCE_SSL’,false);
Dumped the DB to disc, truncated the live tables, then text-replaced all https://domainname.com occurrences with http://192.168.0.1 (for example) in the dumpfile, and reloaded every table’s data back into it to get rid of ALL references to “https” in any URLs in the DB.
Put this in my .htaccess (which DOES get parsed, as I can crash the testing server’s httpd by putting crud into it):
.
.
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
.
.
So:
The .htaccess deliberately rewrites any requests to port 443 or HTTPS to HTTP.
There is an index.htm and index.html that specify 192.168.0.1/index.php in the /var/www/html folder via meta refresh tags.
The wp-config specifies for WP_HOME and WP_SITEURL “http://192.168.0.1” and FORCE_SSL_* are set to “false”.
But still, referencing in a browser
http://192.168.0.1 or http://192.168.0.1/index.php
always results in
https://192.168.0.1
being rewritten in the browser address bar and then the browser just stops and reports the page as unreachable. Have cleared cache and can insert arbitrary “die(…” commands and see them render if I CTRL F5, so the browser cache is not a factor.
All I want to do is test if PHP 7.2 will break my site – on a testing server without HTTPS.
What is there besides .htaccess, wp-config.php and the associated MySQL database that still forces WP to HTTPS instead of HTTP when directly referencing in a web browser the testing server’s 192.168.0.1 IP?
I just need WP to -actually- use
http://192.168.0.1
and stick with that instead of each time making it https://192.168.0.1
Expected result is to not see URL rewriting in WordPress from http:// to https:// in the browser address bar on the testing server.
Stefan
Ok found the solution (at least partially) to this.
Had a plugin called "Really Simple SSL" loaded. Manually disabled this, and now the site is at least partially loading. Still have severe errors and mangled URLs that don't work, but at least it is not each time jumping into HTTPS.
Thanks for the replies!
Stefan
I have hosted an ecommerce website with the OpenCart script at www.medicosales.in
I am facing some errors.
The website when opened by typing medicosales.in is NOT automatically resolving to https:// where I have seen in SSL secured sites that just by typing yourdomain.com the URL automatically takes https://
It's showing this message
How to solve it?
You should set up your .htaccess file if you're using Apache, or similar if you're using another webserver to rewrite your URLs to include https:// if they do not already. This will force the user's browser to access via the correct protocol.
For Apache place the following code into the top of your .htaccess file in your document root for the site ensuring mod_rewrite is enabled.
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Whenever you load a resource externally e.g. via something like <img src="http://example.com/myimage.jpg" ... you must ensure that the protocol is HTTPS also otherwise your browser will give you that message since the resource was not loaded securely.
The way to fix this is ensure that all externally linked resources have their URLs prefixed with // and not http://. This way the browser will use the current protocol to fetch the resource.
Thanks #davidgiga1993 for pointing out // rather than using https://
It is not automatic. You need to send a 302/301 redirect back to the user pointing to the https URL.
I just bought SSL for my domain and the host installed it and now all pages are requiring "HTTPS". Is there a way to fix this globally and only display the https pages when I call for them?
Example:
example.com - wont work
https://example.com - works
I know I have to link to the pages I want secure with https, none of the pages are working though and host wont help.
it’s important to avoid this by
ensuring that every image, CSS and Javscript file on a secure
page is accessed using HTTPS. For content on the same domain it’s quite straightforward – you just need to use relative URLs. A relative URL contains the ‘offset’ URL that
needs to be applied to the page’s absolute URL in order to
find a resource.
A problem arises though, if you attempt to access a
resource from a different domain because you can’t use the
simple path-relative URL to access the resource. This often
happens when you attempt to use a third party service such
as Google Analytics or a third party Ajax library CDN.
Google Analytics solves the problem with its external
javascript file by recommending the use of this code to
dynamically switch protocols:
var gast = (("https:" == document.location.protocol) ?
"https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gast +
"google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
Redirect from http to https
This bit will help you tremendously when you’ve not updated every single link in your site yet. You can just add a straight server level redirect from http to https.
In Apache you’d do something like this:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
You can force https acces with htaccess. Try the following:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]
Please replace www.yourdomain.com with that of yours'
Note: Please do remeber to get your mod_rewrite ON for the server
I am having a problem over and over where a member is logged into my site using www. and if he accesses a link without www., the session variables don't carry over.
What's the way to make them both access the same place?
Ideal
Your site should reside on one canonical domain. So you should pick either www. or the top level domain and change all your links so that they point to one web address. It would be wise to switch to setting the domain in a configuration and using that to create web addresses across your application - this way you can easily change the URL later if you wish.
If you are running Apache you can also easily redirect traffic from one domain to the other by adding the following to the .htaccess file of your site:
#enforce the use of the www. subdomain on the sites URL
RewriteCond %{HTTP_HOST} !^(www.).*$ [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
I should also mention that there is a growing movement away from using the www. subdomain as the main "URL" for a site. See: http://no-www.org/index.php
Less ideal
You change the cookie configuration when you set it so that it will work across domains. This is described on the setcookie() manual page with the domain parameter:
The domain that the cookie is available to. Setting the domain to
'www.example.com' will make the cookie available in the www subdomain
and higher subdomains. Cookies available to a lower domain, such as
'example.com' will be available to higher subdomains, such as
'www.example.com'. Older browsers still implementing the deprecated »
RFC 2109 may require a leading . to match all subdomains.
The only issue with this is that your site will still be accessible via two URLs.
Solution 1: Set the cookie's domain to the domain name without the www prefix (this way both requests should be sent with the cookie data).
Solution 2: Redirect everyone using the variant without the prefix to the one with the prefix (e.g. using mod_rewrite).
Modify your server configuration to 301 redirect traffic from 'yourdomain.com' to 'www.yourdomain.com'
when some user access the www.* site, redirect then to the other site automatically
How do I force HTTPS for certain parts of a site, e.g. a login page or register page, and use HTTP for the rest of the site?
My favorite convert to https forcing method is to put this as the first thing in your php script. It works in Joomla, and may very well work in CakePHP.
if( $_SERVER['SERVER_PORT'] == 80) {
header('Location:https://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']).'/'.basename($_SERVER['PHP_SELF']));
die();
}
This snippet will force https on whatever page you are viewing. If you want to isolate certian pages, just put some conditions based on the information in the "$_SERVER['PHP_SELF']" variable.
Otherwise, modify the .htaccess file, assuming your host allows you access to this:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} somefolder
RewriteRule ^(.*)$ https://www.domain.com/somefolder/$1 [R,L]
I did the exact thing with CodeIgniter. I'm not totally familiar with CakePHP but I'm sure the process is similar.
I setup apache to point SSL and non-SSL traffic to the same directory.
Then I created an array in the config that listed which controllers needed to have SSL (register, login, etc)
Then created a function in an autoloaded helper that checked to see if the current controller was in that array and then it would reset the base_url with https:// instead of http://. If the controller wasn't in the array, it would force the base_url to http://.
Worked flawlessly for me. Let me know if code examples from my CodeIgniter project would be helpful.
Similar post that may help.
You may load the RequestHandler component and use the isSsl() function to determine if it is coming from a http or https, if !isSsl then redirect it to a https page :) else do whatever other thing you want.
book info of the isSsl function here
A better solution might be doing this with mod_rewrite with htaccess for certain Url's and leaving the code out of it all together.
You can setup your rewrite rules for just certain Url's.
Here is a lead on how to do it for an entire site:
http://www.besthostratings.com/articles/force-ssl-htaccess.html