I was trying to use this code:
if($_SERVER['HTTP_PORT'] !== 443 && !isset($_SERVER['HTTPS'])) {
header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
exit;
}
to make my login page and register page contain https to use the ssl to make sure that everything is secure, but when I run the page an error message shows up Undefined index error using $_SERVER['HTTPS']
so I decided to use another one:
if ( isset( $_SERVER["HTTPS"] ) && strtolower( $_SERVER["HTTPS"] ) == "on" ) {
$pageURL .= "s";
}
but it didn't work. The https didn't show up and http is only there...
any idea how to do that with php...
Thanks
The solution is:
if($_SERVER["HTTPS"] != "on")
{
header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
exit();
}
From the manual:
$_SERVER['HTTPS']
Set to a non-empty value if the script was queried through the HTTPS protocol.
Therefore, you should be using the following condition to check for an HTTPS connection:
if(!empty($_SERVER['HTTPS']))
{
// https://...
}
You'd better use $_SERVER['SERVER_PORT'].
HTTP_PORT doesnt always return the portnumber.
Related
i want to redirect HTTPS to HTTP for spesific url like :
http://www.example.com/abc.php
this script working well redirected to HTTPS for all pages, but i don't know how to redirect HTTP for specific url
if ($_SERVER['HTTPS'] == "on" && $settings['ssl_host'] == "yes") {
$porthttps = "https://" . $_SERVER['SERVER_NAME'];
header("Location: " . $porthttps);
exit();
}
Thank you.
I have a PHP script which receives user and pass as a URL parameter and stores this in a database.
In order to use this script I have to access
http://ipadress/script.php?user=testuser&pass=1234
that's the IP address of a Linux machine.
What changes should I make in order to be able to change from http to https? I have to use SLL certificates or is there a solution which allow me to do this from my PHP script?
Can you offer me some hints, please ?
I hope this helps!
$redirect= false;
if (!isset($_SERVER['HTTPS'])) {
$redirect= true;
} else {
if ($_SERVER['HTTPS'] != "on")
$redirect= true;
}
if ($redirect) {
$url = "https://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
header("HTTP/1.1 301 Moved Permanently");
header("Location: ".$url);
exit();
}
Very simple issue we cannot resolve. The following code does not redirect properly:
$location = str_replace("http","https",$this->page->current_url);
header( "Location: ".$location );
I get a 400 Error: "Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.Instead use the HTTPS scheme to access this URL, please."
How can I redirect in PHP from a page served over HTTPS to a page served over HTTP for scenarios such as secure login and then redirect to nonsecure app page?
try this, for me works fine
<?php
if ( $_SERVER['HTTPS'] )
{
$host = $_SERVER['HTTP_HOST'];
$request_uri = $_SERVER['REQUEST_URI'];
$good_url = "http://" . $host . $request_uri;
header( "HTTP/1.1 301 Moved Permanently" );
header( "Location: $good_url" );
exit;
}
?>
This will work for http to https and https to http (use some tweaks to check)
First check whether the https is ON on your hosting if yes than redirect the URL to https using below mentioned function in PHP
function httpToHttps()
{
$pageURL = 'http';
if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s";}
$pageURL .= "://";
if ($_SERVER["SERVER_PORT"] != "80")
{
$pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
}
else
{
$pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_UR
I"];
}
return $pageURL;
}
if( isset($_SERVER['HTTPS'] ) ) {
header( "Location:foo.php");
Not sure if this can cause such a problem, but you should add an exit after calling the header function. This makes sure that the following code will not be executed and the HTTPS request itself returns no data. The header function should be called before anything is returned.
$target = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
header('Location: '.$target, true, 303);
exit;
Duh - I have no clue why I did not look at $location. It contained http//localhost:443/[...] which is invalid. I simply remove the :443 and it works fine.
I have a website in Zend framework. Here I want to identify whether the current URL contains HTTPS or HTTP? I have used the following code
if($_SERVER['HTTPS']==on){ echo "something";}else{ echo "something other";}
But the result is not correct. Is there is any other way to identify this?
Also I have one more question.
How to get complete current url (including HTTP/HTTPS) using php?
Please help me
Thanks in advance
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
echo "something";
} else {
echo "something other";
}
notice the on should be a string .
You could use methods that are already defined in Zend Framework instead of explicitly using $_SERVER superglobals.
To determine if the connection is HTTP or HTTPS (this code should go into your controller):
if ( $this->getRequest()->isSecure() ) { echo 'https'; } else { echo 'http'; }
To get complete current url:
$this->getRequest()->getScheme() . '://' . $this->getRequest()->getHttpHost() . $this->getRequest()->getRequestUri();
The better way to check is
if (isset($_SERVER['HTTPS']) && $_SEREVER['HTTPS'] != 'off')
{
//connection is secure do something
}
else
{
//http is used
}
As stated in manual
Set to a non-empty value if the script
was queried through the HTTPS
protocol.
Note: Note that when using ISAPI with IIS, the value will be off if the
request was not made through the HTTPS
protocol.
you need to fix check it should be
if ($_SERVER['HTTPS'] == 'on')
or try following function
if(detect_ssl()){ echo "something";}else{ echo "something other";}
function detect_ssl() {
return ($_SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] == 1 || $_SERVER['SERVER_PORT'] == 443)
}
This will both check if you're using https or http and output the current url.
$https = ((!empty($_SERVER['HTTPS'])) && ($_SERVER['HTTPS'] != 'off')) ? true : false;
if($https) {
$url = "https://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
} else {
$url = "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
}
Is there a way to check if the current page was opened with SSL? For example, I want my login page (login.php) to check if it was accessed using SSL (https://mywebserver.com/login.php). If not, redirect them to the SSL version of the page.
Pretty much, I want to enfore that the user uses the page securely.
You should be able to check that $_SERVER['HTTPS'] is set, e.g.:
if (empty($_SERVER['HTTPS'])) {
header('Location: https://mywebserver.com/login.php');
exit;
}
Be careful. On my IIS server, $_SERVER['HTTPS'] is not empty but has the value 'off'.
So i had to do
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
// no SSL request
}
You'll find this may not work if you are working over forwarded protocols. For example, Amazon's ELB can handle SSL negotiation and interact with your app servers over port 80.
This block handles that:
public function isSSL()
{
if( !empty( $_SERVER['https'] ) )
return true;
if( !empty( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' )
return true;
return false;
}
Well, Here is another chunk of code. The code will return full url with https/http.
<?php
/**
* Check whether URL is HTTPS/HTTP
* #return boolean [description]
*/
function isSecure()
{
if (
( ! empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
|| ( ! empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
|| ( ! empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on')
|| (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443)
|| (isset($_SERVER['HTTP_X_FORWARDED_PORT']) && $_SERVER['HTTP_X_FORWARDED_PORT'] == 443)
|| (isset($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https')
) {
return true;
} else {
return false;
}
}
/**
* Example Use
*/
define('APP_URL', (isSecure() ? 'https' : 'http') . "://{$_SERVER['SERVER_NAME']}".str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']));
echo APP_URL;
/**
* +++++++++++++++++++++++++
* OR - One line Code
* +++++++++++++++++++++++++
*/
define('APP_URL', ((( ! empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || ( ! empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') || ( ! empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') || (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443) || (isset($_SERVER['HTTP_X_FORWARDED_PORT']) && $_SERVER['HTTP_X_FORWARDED_PORT'] == 443) || (isset($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https') ) ? 'https' : 'http') . "://{$_SERVER['SERVER_NAME']}".str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']));
echo APP_URL;
?>
<?php
if ( !empty( $_SERVER['HTTPS'] ) ) {
//do secure stuff
}else{
//warn or redirect or whatever
}
?>
http://php.net/manual/en/reserved.variables.server.php
Another method is to check for the existence of HTTPS cookies. First your server needs to send the browser a cookie with the secure flag:
Set-Cookie:some_key=some_value;secure
After your server has sent the browser the cookie, whenever the browser requests a page from your server, it will send along the secure cookie some_key=some_value only if it is requesting a HTTPS page. This means that if you see the existence of the cookie some_key=some_value you know that the browser is requesting a HTTPS page. Voila!
Browser support is very good, as this is fundamental to security. Browsers without support for HTTPS cookies are Firesheepable when users request pages from non-HSTSed domains.
For more info, see:
https://httpsnow.org/help/securecookies
https://www.owasp.org/index.php/SecureFlag#Overview
https://stackoverflow.com/a/13730187/632951
https://security.stackexchange.com/q/100/2379
Just to add that in case of nginx, the way to check for https is:
if (isset($_SERVER['SERVER_PORT']) &&
($_SERVER['SERVER_PORT'] === '443')) {
return 'https';
}
To use PHP to check if the page was accessed without SSL you can check the port number.
// Most encrypted web sites use port 443
if ($_SERVER['SERVER_PORT']==443) {
// Tell browser to always use HTTPS
header('strict-transport-security: max-age=126230400');
}
elseif (isset($_SERVER['SERVER_PORT'])) {
// Redirect current page to https with 301 Moved Permanently response
header('location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'], true, 301);
exit;
}
This assumes your server is configured with the SERVER_PORT environment variable and that the encrypted version of your web site is hosted on port 443. It also assumes your server is not behind a load balancer. If your server is behind a load balancer, you might need a more advanced solution such as this one that does not rely on custom HTTP headers which can vary from one load balancer to the next:
// Set secure cookie to detect HTTPS as cookie will not exist otherwise.
header('set-cookie: __Secure-https=1; expires='.substr(gmdate('r', ($_SERVER['REQUEST_TIME']?: time())+126230400), 0, -5).'GMT; path=/; secure', false);
// Tell browser to always use HTTPS
header('strict-transport-security: max-age=126230400');
if (!isset($_COOKIE['__Secure-https']) && !isset($_GET['https'])) {
// Redirect to secure version of site and add https=1 GET variable in case cookies are blocked
header('location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'].(strpos($_SERVER['REQUEST_URI'], '?')===false? '?': '&').'https=1', true, 307);
exit;
}
If the above solution is problematic because it adds ?https=1 to your URL then you can always use JavaScript. Add this to the top of your page right after <head>:
<script>
// This will redirect all requests from http to https
if (location.protocol=='http:') {
location.replace('https://'+location.host+location.pathname+location.search)
document.write('<noscript>');// hack to stop page from displaying
}
</script>
Then add the following to your PHP script if you want browsers to remember to always use HTTPS when accessing your site:
header('strict-transport-security: max-age=126230400');
or if you want browsers to have your preferences preloaded use:
header('strict-transport-security: max-age=126230400; preload');// HTTPS will always be used!
If you use the preload feature you will need to submit your web site to be included in Chrome's HSTS preload list so that browsers come preloaded with your web site preferences. If you use preload, it's also advisable to host your site on the naked domain without the www. This is because it's usually easier for most people to type in your domain without the www, and with preload your web site loads without the need of a tedious redirect since https is already the default.
Detect server side SLL with some additions:
function detectSSL(): ?bool {
// check HTTPS protocol
if( isset($_SERVER['HTTPS']) ) {
if( 'off' !== strtolower($_SERVER['HTTPS']) ) {
return true;
}
if( 1 === (int)$_SERVER['HTTPS'] ) {
return true;
}
}
if( isset($_SERVER['HTTP_X_FORWARDED_SSL']) ) {
if( 'on' === $_SERVER['HTTP_X_FORWARDED_SSL'] ) {
return true;
}
}
if( isset($_SERVER['HTTP_X_FORWARDED_PORT']) ) {
if( 443 === (int)$_SERVER['HTTP_X_FORWARDED_PORT'] ) {
return true;
}
}
if( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) ) {
if( strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https' ) {
return true;
}
}
if( isset($_SERVER['REQUEST_SCHEME']) ) {
if( strtolower($_SERVER['REQUEST_SCHEME'] === 'https') ) {
return true;
}
}
// check server port
if( isset($_SERVER['SERVER_PORT']) ) {
if( 443 === (int)$_SERVER['SERVER_PORT'] ) {
return true;
}
}
// non-SSL
return null;
}
// Set URI prefix
define('uri_prefix', detectSSL() ? 'https://' : 'http://');
define('site_host', strtolower(uri_prefix . $_SERVER['HTTP_HOST']));
And addition for .htaccess:
# SSL schema off
RewriteCond %{HTTPS} off
RewriteRule .* - [E=REQUEST_SCHEME:http]
# SSL schema
RewriteCond %{HTTPS} on
RewriteRule .* - [E=REQUEST_SCHEME:https]