Follow up question to what is posted here:
How can I force users to access my page over HTTPS instead of HTTP?
I've added the following code to one page, the index.php page of my CART directory.
if($_SERVER["HTTPS"] != "on")
{
header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
exit();
}
When I browse the site starting from the index page, all files within the CART directory are loaded through HTTPS (which I actually want), but if I click a link to a another page outside the CART folder, it goes back to HTTP.
How is this working this way? How is the HTTPS staying active for pages within the CART directory? If I type in a URL for a page within the CART directory, HTTPS is not enforced, which makes sense.
The site URL is http://wtc.betaforming.com
Trying to wrap my brain around this, thanks.
Brett
I would recommend adding this bit of code to your .htaccess file (if your running Apache) in your root directory.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} =off
RewriteRule ^DIRECTORY1|DIRECTORY2|DIRECTORY3 https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !^/DIRECTORY1|DIRECTORY2|DIRECTORY3
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
Where you replace DIRECTORY1,DIRECTORY2, etc. with the directories that you want to force HTTPS on, then doing it in reverse (the code just below), by saying if not DIRECTORY1,DIRECTORY2, etc. then redirect to HTTP.
Hope this helps
You answered your own questions in your question:
How is this working this way? How is the HTTPS staying active for pages within the CART directory?
...when you said:
I've added the following code to one page, the index.php page of my CART directory.
See? You're enforcing HTTPS requirement for pages in your cart directory, but not elsewhere. Which reflects what you're seeing on your site. If you want to require HTTPS site-wide, considering using your webserver to enforce that requirement. For example with Apache and mod_rewrite you might try something like this:
<IFModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IFModule>
EDIT
In a comment in your post you say "I'm trying to understand how/why HTTPS is being enforced when browsing to other pages in the CART directory from the index.php page". My guess (and it is a guess since you have not shown us your code) is that those URLs are built in a ssl-agnostic way, like this:
I'm SSL-enabled on a page with HTTPS in the address bar
Again though, without seeing your code, it's impossible to say.
Cheers
<?php
// Require https
if ($_SERVER['HTTPS'] != "on") {
$url = "https://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
header("Location: $url");
exit;
}
?>
Try to add this on the file you're trying to access in HTTPS and it will force the browser to load in HTTPS.
Related
It was required for me to redirect my websites links from http to https
After searching on google I found code to insert in .htaccess file
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
But unfortunately .htaccess file was hidden in my hosting cPanel and unable to rewrite.
So I found following PHP code for redirection from http to https (as an alternate to .htaccess)
// Redirection from http to https
if($_SERVER["HTTPS"] != "on") {
header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
exit();
}
I placed above code on each page and it is redirecting perfectly.
I want to know is their any drawback of using php code instead of .htaccess for redirection from http to https.
Solution one (edit .htaccess file)
To see the .htaccess file, try to do the following
Go to the Cpanel
Click file manager
Choose hidden files
select .htaccess file and click edit
Solution two (use Cloudflare.com)
use Cloudflare https redirection rule if your domain is linked to Cloudflare
I am trying to redirect my site to always open in HTTPS. I am using CloudFlare and they have a setting to "Always use HTTPS". But there is a page on my website where I do not want to use HTTPS as it opens other websites under an iFrame. And if that page also loads in HTTPS then under iFrame any website whose URL hasn't been mentioned with HTTPS doesn't open. Therefore, for that particular page I want to keep the website to be opened under HTTP.
Things I am doing:
In CloudFlare Crypto settings "Always Use HTTPS" is ON.
Then in my page where I want it to opened under HTTP say surf.php
I am using the following PHP code:
if($_SERVER['HTTP_HOST'] != 'localhost'){
if(isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'on'){
if(!headers_sent()){
header("Status: 301 Moved Permanently");
header(sprintf('Location: http://%s%s',$_SERVER['HTTP_HOST'],$_SERVER['REQUEST_URI']));
exit();
}
}
}
Now the page doesn't open and says "The page isn’t redirecting properly". What should I do? Is there any other method to accomplish this? I want to use HTTPS in whole website so "Always use HTTPS" settings in cloudflare should be ON except just surf.php. What should be the best method here?
It sounds like you are in a redirect loop. Where you have a .htaccess file that forces HTTPS, and then you redirect to HTTP using PHP. Then that new request has all the same rules applied to it so that it gets redirected by .htaccess again to HTTPS, and so on (to infinity)
So I would first make sure your not forcing HTTPS in your .htaccess file. If so you can add a RewriteCond to exclude your URL:
#RewriteEngine On #-- if not included elsewhere
#if HTTPS is not on (then continue)
RewriteCond %{HTTPS} !=on
#add this rule in (if not our page, then redirect to HTTPS)
RewriteCond %{REQUEST_URI} !^/surf\.php$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
When mod rewrite hits a Rewrite condition if it fails (is false) it will disregard the next rewrite rule. So with this in place your PHP code could do it's job, but you can also do this in htaccess alone. Because you will have dependence on the URL in there anyway, I don't see an issue doing it all in the .htaccess file.
This would basically be the opposite of the above except you know the url. Something like this:
#if HTTPS is not on (then continue)
RewriteCond %{HTTPS} !=on
#add this rule in (if not our page, then redirect to HTTPS)
RewriteCond %{REQUEST_URI} !^/surf\.php$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#if HTTPS is not off (then continue)
RewriteCond %{HTTPS}!=off
# (if is our page, then redirect to HTTP)
RewriteCond %{REQUEST_URI} ^/surf\.php$
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
I can't really test this though, but that's the general idea. If HTTPS is no off, and the %{REQUEST_URI} is our page !^/surf.php$ redirect to HTTP... Basically you have to punch a hole through the HTTPS rule and then force http.
I am pretty sure with %{REQUEST_URI} you only have to check if it starts with your URL (minus the host and protocal).
I'll admit I'm a bit rusty with complex HTACCESS rules, spoiled by MVC routers, so this may very well not be 100% correct. But the general idea is sound.
Anyway hope it helps.
I have a single PHP file which handles credit card processing. It starts as a form to input the credit card number, then becomes a "confirm" screen (showing the credit card number) then once more to process and display the results. All three loads will be done with PHP submits (I realize the confirm might be better as Javascript, but I didn't write it). It is the only file in the directory which handles credit cards, and therefore it is the only one which needs httpS connection.
I have tried forcing this with the $_SERVER array, looking up the protocol used to connect from the prefix of the SCRIPT_URI (or other entry), but none had the prefix.
Is there a simple way to do this...i want ssl on 5 pages homepage, login, register, contact page and if user visit other page then he should be on non ssl version
Sorry for the questions, but my searches thus far here haven't uncovered a working solution, and I'm afraid I don't know what the best practice is.
Use this code on php pages you want:
if($_SERVER["HTTPS"] != "on")
{
header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
exit();
}
You should investigate $_SERVER['HTTPS']. This will have a non empty value if https is used and an empty value otherwise.
If you detect a non https connection you can redirect the user, e.g. using php header() method.
Another way to achieve this would be to use .htaccess configuration (if you're running on apache web server):
RewriteCond %{HTTPS} !=on
RewriteRule ^creditcard\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R]
Using https for the whole website is a really good option, too.
Suppose you want to redirect 4 specific pages to https,
page1.php
page2.php
page3.php
page4.php
then you would do something like this:
Create a .htaccess file in your root directory and add the following lines to it.
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
#redirect www.yourdomain.com to yourdomain.com (or any other subdomain)
RewriteCond %{HTTP_HOST} !^yourdomain.com$ [NC]
RewriteRule ^(.*)$ http://yourdomain.com/$1 [L,R=301]
#force https for certain pages
RewriteCond %{HTTPS} !=on
RewriteRule ^(page1\.php|page2\.php|page3\.php|page4\.php)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R]
I need some help with URL rewriting.
I need just 1 dynamic page (signin) to be handled via SSL, all other pages need to be redirected to HTTP.
So here my .htaccess file for :443 virtualhost:
RewriteEngine on
RewriteRule ^signin$ https://www.page.com/?s=signin [L,NC]
RewriteCond %{REQUEST_URI} !^\/(signin)+ [NC]
RewriteRule ^(.*)$ http://%{SERVER_NAME}/$1 [R=302,L]
What happens is, that https://www.page.com/signin gets redirected via the 302 redirect to http://www.page.com/?s=signin
What am I doing wrong?
Your question is tagged with PHP. Is your signin page PHP?
Add this to the top of your signin page and that page will force itself to the HTTPS.
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == "") {
$redirect = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
header("Location: $redirect");
}
Ok, I take this as an apache question. To explain what seems to happen first:
Your first rule redirects to
https://www.page.com/?s=signin
This does not match the REQUEST_URI Condition !^/(signin)+; so the second rule redirects to
http://www.page.com/?s=signin
Probably your condition should read something along the lines of:
RewriteCond %{REQUEST_URI} !^\/\?s=signin [NC]
To see what exactly mod_rewrite does, enable the rewrite log, if you can - how to do this depends on the apache version.
Hey people. I see that this topic is repeated over and over on SO but I tried several solutions posted here and none of them worked quite for me. So basically - I know how to change specific pages on my website so that they're in https mode. However, I dunno how to rewrite the http requests that are INSIDE the code. So for example, if my page, say, payment.php, contains link that loads external ccs file like this -> http://example.com/somecss.css then google chrome will see it as dangerous link and display cross-red padlock next to site url. Now, I've tested it manually by changing all the http requests inside the code to https and the padlock magically became green so I guess I need some kind of mod rewrite rule that would rewrite all the links on those specific pages so that they would contain https. I hope I explained it well enough. Can anyone help me? I'm using codeigniter.
To rewrite the http requests inside the code you have to use protocol-relative paths there.
<link rel="stylesheet" href="//www.domain.com/style.css">
<script src="//www.domain.com/script.js"></script>
It will automatically use the protocol of the parent page
You have to make sure that the user is browsing your site over secure connection. You can redirect the user to secure connection (https://) using an .htaccess file containing the following lines:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
Please, note that the .htaccess should be located in the web site main folder.
In case you wish to force HTTPS for a particular folder you can use:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} somefolder
RewriteRule ^(.*)$ https://www.domain.com/somefolder/$1 [R,L]
The .htaccess file should be placed in the folder where you need to force HTTPS.