I just had an ssl installed for a site I am working on and I obviously need to get a few of the pages (checkout etc) redirected to https.
I am currently using this code:
if (!isset($_SERVER['HTTPS']) || !$_SERVER['HTTPS']) {
$url = 'https://www.mysite.php';
header("location: ". $url);
exit();
}
Firefox is telling me that "the page is trying to redirect in a way that will never complete."
A var_dump of $_SERVER shows no ['HTTPS'] or similar when I am on the secure page. This is on a Network Solutions small unix package. Is it possible I need to be checking for a different server variable or perhaps I need to change some server settings?
Clearly the script is never finding HTTPS so it is trying to redirect without end.
It becomes clearer if you use OR:
if (!isset($_SERVER['HTTPS']) OR !$_SERVER['HTTPS']) {
Chances are one of the conditions always evaluates to true, even when you already are in HTTPs mode.
You want AND:
if (!isset($_SERVER['HTTPS']) AND !$_SERVER['HTTPS']) {
I use this form of SSL Checking too. For me my code works. Here is what i do.
if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") {
header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
}
This works great and also redirects you to the previous url.
hope this helps.
Related
We have a need to check for certain if the server has SSL installed. Every method that we tried does not seem to be fool proof.
Our ultimate goal is if someone types in http://somedomain.com, we can test is the server has SSL and then display https://somedomain.com
We need to be able to do this with PHP and not htaccess since this is a module we are creating. Using file_exists or curl all seems to be some sort of drawback where it might not be turned on.
Thanks In Advance!
You can use the php $_SERVER['HTTPS'].
eg.
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
header("Location: myurl.com");
exit();
}
You should try both if the $_SERVER['HTTPS'] is empty and if the $_SERVER['HTTPS'] is set to on.
Be careful you should place this piece of code at the start of the page, because the redirection is happening with header() which only works if no html output is done.
Can you connect to $hostname:443?
Does $hostname:443 provide a valid certificate for $hostname
???
Profit!
I used info from this answer (https://stackoverflow.com/a/85867/3271766 - along with the contribution from Dave1010) to allow me to force a page to load securely (https://). This works beautifully!
Now, I want to do the opposite. When clicking a relative link (to a normal, non-secure page) from a secure page, I want to force that page to load non-securely (http://). I don't want to use absolute links to accomplish this. They need to stay relative. Instead, I'd rather use a piece of PHP code similar to what I used to force pages to load securely.
How can this be done? Thanks, in advance, for your help.
The code I used (in each page's head tags) to force pages to load securely is:
<?php
// WORKING: FORCE SECURE - Force page to load securely (http:// > https://)
if(empty($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] !== "on")
{
header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
exit();
}
?>
I tried the following, but it stops the page from loading altogether:
<?php
// NOT WORKING: FORCE NON-SECURE - Force page to break out of secure protocol (https:// > http://)
if(empty($_SERVER["HTTP"]) || $_SERVER["HTTP"] !== "on")
{
header("Location: http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
exit();
}
?>
Is there a way to modify this to make it work?
(By the way, in case anyone is wondering, I am doing this because a third-party sharing tool my client wants to use does not have a valid security certificate. Thus, portions of the sharing tool either do not load, or do not function. I have contacted the vendor repeatedly, but they have not responded. I have removed the tool from the secure pages only. However, my client wants to use this tool on all other pages, on which it works perfectly, so long as it is not accessed securely.) :-)
Regards,
Jeremy
Change
if(empty($_SERVER["HTTP"]) || $_SERVER["HTTP"] !== "on")
to
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on'){
$url = 'http://'. $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
header("Location: $url");
}
I have a simple code in place for my php file to redirect to https if it's not present and I keep getting a too many redirects issue.
if(strtolower($_SERVER['HTTPS']) != 'on') {
redirect('https://domain.com/register.php');
}
Is there something I can do to fix the issue?
Thank you.
From PHP manual, $_SERVER['HTTPS'] is Set to a non-empty value if the script was queried through the HTTPS protocol. That isn't necessarily on. You may then end up in an infinite loop of redirects.
To avoid this, use the empty() function:
if ((!isset($_SERVER['HTTPS'])) || (empty($_SERVER['HTTPS']))
{
redirect('https://domain.com/register.php');
}
Note: Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.
if(!isset($_SERVER['HTTPS'])){
//redirect
}
I need a PHP if/else statement that if the sign-in.php or register.php page is access over HTTP I would like to redirect to HTTPS else if any other page is accessed over HTTPS redirect to HTTP plus have any query string appended for example if a user tries to access a restricted page (http://domain.com/my-account.php) the site redirects the user to http://domain.com/sign-in.php?redirect=my-account however, I would like the page to redirect to https://domain.com/sign-in.php?redirect=my-account.
I know I could simply change the header redirects to include https instead of http but users may type http://domain.com/sign-in.php?redirect=my-account so just need to ensure if this happens sign in (or others) happen over https.
Any help is appreciated
Here You go.
//force the page to use ssl
if ($_SERVER["SERVER_PORT"] != 443) {
$redir = "Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
header($redir);
exit();
}
$_SERVER, It is an array containing information such as headers, paths, and script locations.
You can check against $_SERVER, specifically 'SERVER_PROTOCOL'
http://php.net/manual/en/reserved.variables.server.php
There should be a part of your code that is always run on every page. In an MVC it would be in your base controller. Other designs may include an init.php file on every page.
In this file have a whitelist of pages that require HTTPS.
$requires_https = array(
'sign-in.php' => TRUE,
'register.php' => TRUE
);
Then you need to determine which page was requested.
$url_info = pathinfo($_SERVER['REQUEST_URI']);
$page = $url_info['filename'];
Next check if you are on HTTP or HTTPS
$is_secure = ! empty($_SERVER['HTTPS']);
Finally you can do the checking:
if (isset($requires_https[$page]) AND ! $is_secure)
header('Location: https://www.yoursite.com/' . $page);
elseif ( ! isset($requires_https[$page]) AND $is_secure)
header('Location: http://www.yoursite.com/' . $page);
This could definitely be improved upon in the last part by using a custom redirect function and a site_url function that takes in the option of being secure or not and builds the proper URL.
It is worth mentioning that it generally doesn't matter if someone is left surfing in HTTPS. In fact most of Google's services are in HTTPS and with better internet connections surfing will eventually all be done in HTTPS. It is only important to make sure the pages that should be secure are secure, not make sure that pages that don't need to be secure aren't.
if ($_SERVER['SERVER_PORT'] != 443) {
header("HTTP/1.1 301 Moved Permanently");
header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
exit();
}
Using part of an init class / script -
You can run code to check if this page should require SSL prior, but this is the actual code to force redirect to SSL (and REQUEST_URI provides any dirs, etc.. to get the correct path).
Using on a single page (i.e. sign-in and register) -
This will redirect the user to this page in SSL (put this code near the top).
The 301 Moved Permanently will also prevent any negative SEO.
(A more) complete method: (includes the query string)
To determine if on https:
$secure = (!empty(filter_input(INPUT_SERVER, 'HTTPS')) &&
filter_input(INPUT_SERVER, 'HTTPS') !== 'off') ||
filter_input(INPUT_SERVER, 'SERVER_PORT') == 443;
as per https://stackoverflow.com/a/2886224
Then to redirect and include the query string:
if($secure){
header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
}
Using REQUEST_URI instead of PHP_SELF will include the query parameters (things after the ? in the URL).
And as always filter your user input (including these) with filter_input() or the like.
so i want to do an external permanant redirect (301) from http://www.creya.com to http://creya.com.
i am not using apache but rather, abyss web server and i can't figure out the url rewrite rules. but i believe i could also do this at the app level with php.
i think wordpress does do this. i set http://creya.com/blog as your blog url and try to hit http://www.creya.com/blog; it redirects to http://creya.com/blog. i want to do the same thing.
any ideas how i can make this hijacking happen?
thanks in advance.
This should do it-
if($_SERVER['SERVER_NAME']!='creya.com')
{
Header("HTTP/1.1 301 Moved Permanently");
Header("Location: http://creya.com".$_SERVER['REQUEST_URI']);
}
try
if(substr($_SERVER['SERVER_NAME'],0,4) == 'www.')
header("Location: http://". substr($_SERVER['SERVER_NAME'], 4)
Long time since I coded php, so can't remember how to get the full path, read a bit here (http://php.net/manual/en/reserved.variables.server.php) and change the last $_SERVER['SERVER_NAME']