I have a merchant website linked to a bank.
I have defined this success URL in bank :
http://www.mydomain.com/deposit.php
When the user starts payment process he enters to bank website and after payment he redirects to the success URL in my website.
If a user enters my website with this URL (without www) :
http://mydomain.com/
The session expires and he should login again. but when he enters with this URL :
http://www.mydomain.com/
The session will not expire and everything is okey. how can i solve this problem?
The thing is your session cookie is probably specifically tied to www.mydomain.com, so, when you access mydomain.com, the browsers chooses not to send the session cookie.
Take a look at ini_set function, and the session.cookie_domain value.
if (count(explode('.', $domain)) > 2) {
ini_set('session.cookie_domain', $domain);
}
You can force www. (or force using just http://mydomain.com aswell) using the .htaccess file.
RewriteCond %{HTTP_HOST} !^www.mydomain\.com [NC]
RewriteRule ^(.*)$ http://www.mydomain.com/$1 [R]
The ! in the RewriteCondition tells the server that when the address does NOT equal the following, redirect it to the RewriteRule.
You can find alot more Rewrite tips 'n tricks using .htaccess on the web.
Note: For this to work, you will need to enable this first in your .htaccess file:
RewriteEngine On
And make sure your Apache (or other host) configuration supports mod_rewrite.
Taken from the HTML5 Boilerplate .htaccess:
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !^www\..+$ [NC]
RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
Placing that in your .HTACCESS file should fix the problem. However, someone else will have to elaborate on what exactly is the cause of this problem.
Edit: Seems to me like Pablo Santa Cruz is right.
Related
I am trying to redirect my site to always open in HTTPS. I am using CloudFlare and they have a setting to "Always use HTTPS". But there is a page on my website where I do not want to use HTTPS as it opens other websites under an iFrame. And if that page also loads in HTTPS then under iFrame any website whose URL hasn't been mentioned with HTTPS doesn't open. Therefore, for that particular page I want to keep the website to be opened under HTTP.
Things I am doing:
In CloudFlare Crypto settings "Always Use HTTPS" is ON.
Then in my page where I want it to opened under HTTP say surf.php
I am using the following PHP code:
if($_SERVER['HTTP_HOST'] != 'localhost'){
if(isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'on'){
if(!headers_sent()){
header("Status: 301 Moved Permanently");
header(sprintf('Location: http://%s%s',$_SERVER['HTTP_HOST'],$_SERVER['REQUEST_URI']));
exit();
}
}
}
Now the page doesn't open and says "The page isn’t redirecting properly". What should I do? Is there any other method to accomplish this? I want to use HTTPS in whole website so "Always use HTTPS" settings in cloudflare should be ON except just surf.php. What should be the best method here?
It sounds like you are in a redirect loop. Where you have a .htaccess file that forces HTTPS, and then you redirect to HTTP using PHP. Then that new request has all the same rules applied to it so that it gets redirected by .htaccess again to HTTPS, and so on (to infinity)
So I would first make sure your not forcing HTTPS in your .htaccess file. If so you can add a RewriteCond to exclude your URL:
#RewriteEngine On #-- if not included elsewhere
#if HTTPS is not on (then continue)
RewriteCond %{HTTPS} !=on
#add this rule in (if not our page, then redirect to HTTPS)
RewriteCond %{REQUEST_URI} !^/surf\.php$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
When mod rewrite hits a Rewrite condition if it fails (is false) it will disregard the next rewrite rule. So with this in place your PHP code could do it's job, but you can also do this in htaccess alone. Because you will have dependence on the URL in there anyway, I don't see an issue doing it all in the .htaccess file.
This would basically be the opposite of the above except you know the url. Something like this:
#if HTTPS is not on (then continue)
RewriteCond %{HTTPS} !=on
#add this rule in (if not our page, then redirect to HTTPS)
RewriteCond %{REQUEST_URI} !^/surf\.php$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#if HTTPS is not off (then continue)
RewriteCond %{HTTPS}!=off
# (if is our page, then redirect to HTTP)
RewriteCond %{REQUEST_URI} ^/surf\.php$
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
I can't really test this though, but that's the general idea. If HTTPS is no off, and the %{REQUEST_URI} is our page !^/surf.php$ redirect to HTTP... Basically you have to punch a hole through the HTTPS rule and then force http.
I am pretty sure with %{REQUEST_URI} you only have to check if it starts with your URL (minus the host and protocal).
I'll admit I'm a bit rusty with complex HTACCESS rules, spoiled by MVC routers, so this may very well not be 100% correct. But the general idea is sound.
Anyway hope it helps.
My .htaccess file redirects my page to a https connections and some more redirects whenever needed.
However, I have a script which checks wheter a session is set (PHP). If so, I perform a visual action and unset the session. However, when the .htaccess kicks in with its redirects, I see the visual effect for a millisecond and on the fresh redirect from the .htaccess, the effect is gone, because the session is already unset...
I hope it's clear enough, quit a strange story but yea... it seems to happen untill now :(
Thanks for any help in advance!
P.S. simple structure:
1). Loading page -> do visual and unset session
2). .HTACCESS kicks in with the redirect to https
3). Loading page -> NO visual due to an already unset session in first step
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]
use this example at the end of your htaccess
if you want redirect non ssl then remove https:// and put http://
if you want to use subfolder to be redirected use following code
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} subfoldername
RewriteRule ^(.*)$ https://yourdomain.com/subfoldername$1 [R=301,L]
I have a single PHP file which handles credit card processing. It starts as a form to input the credit card number, then becomes a "confirm" screen (showing the credit card number) then once more to process and display the results. All three loads will be done with PHP submits (I realize the confirm might be better as Javascript, but I didn't write it). It is the only file in the directory which handles credit cards, and therefore it is the only one which needs httpS connection.
I have tried forcing this with the $_SERVER array, looking up the protocol used to connect from the prefix of the SCRIPT_URI (or other entry), but none had the prefix.
Is there a simple way to do this...i want ssl on 5 pages homepage, login, register, contact page and if user visit other page then he should be on non ssl version
Sorry for the questions, but my searches thus far here haven't uncovered a working solution, and I'm afraid I don't know what the best practice is.
Use this code on php pages you want:
if($_SERVER["HTTPS"] != "on")
{
header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
exit();
}
You should investigate $_SERVER['HTTPS']. This will have a non empty value if https is used and an empty value otherwise.
If you detect a non https connection you can redirect the user, e.g. using php header() method.
Another way to achieve this would be to use .htaccess configuration (if you're running on apache web server):
RewriteCond %{HTTPS} !=on
RewriteRule ^creditcard\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R]
Using https for the whole website is a really good option, too.
Suppose you want to redirect 4 specific pages to https,
page1.php
page2.php
page3.php
page4.php
then you would do something like this:
Create a .htaccess file in your root directory and add the following lines to it.
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
#redirect www.yourdomain.com to yourdomain.com (or any other subdomain)
RewriteCond %{HTTP_HOST} !^yourdomain.com$ [NC]
RewriteRule ^(.*)$ http://yourdomain.com/$1 [L,R=301]
#force https for certain pages
RewriteCond %{HTTPS} !=on
RewriteRule ^(page1\.php|page2\.php|page3\.php|page4\.php)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R]
Due to my hosting company's policies I am using pretty url in CakePHP (without the Apache mod rewrite). My homepage is at:
http://stthomasedu.org/index.php/home
How can I redirect traffic from
'http://stthomasedu.org/' to 'http://stthomasedu.org/index.php/home' ?
I've tried to edit index.php with
header("Location:http://stthomasedu.org/index.php/home");
but it's not working, every time I have to manually enter the URL "http://stthomasedu.org/index.php/home"
Any ideas?
SOLVED : IN C-PANEL I HAVE AN OPTION TO REDIRECT ALL MY TRAFFIC TO (http://stthomasedu.org) ANY LOCATION (now i set it to http://stthomasedu.org/index.php/home)
Since you are using Apache, you can add these lines in a .htaccess:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^$
RewriteCond %{HTTP_HOST} ^stthomasedu.org$
RewriteRule ^$ http://stthomasedu.org/index.php/home [L,R=301]
Did you remember to exit after your header() call?
header('Location: /index.php/home');
exit;
I have a domain say http://www.testexample.com. When I login to http://www.testexample.com and come back to http://testexample.com in browser; the logged in user information is not displayed.
I know that the both of the above are treated differently and hence it is not retaining the session for http://www.testexample.com while accessing http://testexample.com.
Please let me know if cakephp has a way to do a match on the TLD. So whenever I type http://testexample.com it should take session for http://www.testexample.com
I am using the following code to redirect from one URL to the other
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ps6309 [NC]
RewriteRule ps6309.domain.co.in [L,R=301]
this is on my local test machine. This works sometimes and sometimes doesn't.
Also I have added the rewritelog directive to my httpd.conf file.
But the log file is not getting updated.
Please let me know if anyone has any pointers to this.
Use .htaccess to redirect all http://domain.com -> http://www.domain.com
RewriteCond %{HTTP_HOST} !^www\.domain\.com
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=permanent,L]
Set the domain for the cookie as testexample.com, then it can be shared across sub domains as well as not worrying about www.
If you have many projects and don't want to hard code your domain name on .htaccess again and over again, try this code:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) http://www.%{HTTP_HOST}/$1 [R=301,L]
this will redirect non-www to www. While you're using cakephp, then put it on your .htaccess which is located at /webroot
Try ini_set('session.cookie_domain', $domain); (documented as ini_set session.cookie_domain and session_set_cookie_params()), where $domain is your domain name prefixed by a .. So, using the domain example.com (per rfc 2606), you'd use:
ini_set('session.cookie_domain', '.example.com');
Please note that this is not a CakePHP specific solution - looking at the code for CakeSession, session.cookie_domain is never set, meaning that it falls to it's default value. Stuffing that line in your app/config/bootstrap.php or app/config/core.php should do it for you.