Force users to access my page over HTTPS instead of HTTP?

Question

Follow up question to what is posted here:

How can I force users to access my page over HTTPS instead of HTTP?

I've added the following code to one page, the index.php page of my CART directory.

if($_SERVER["HTTPS"] != "on")
{
    header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
    exit();
}

When I browse the site starting from the index page, all files within the CART directory are loaded through HTTPS (which I actually want), but if I click a link to a another page outside the CART folder, it goes back to HTTP.

How is this working this way? How is the HTTPS staying active for pages within the CART directory? If I type in a URL for a page within the CART directory, HTTPS is not enforced, which makes sense.

The site URL is http://wtc.betaforming.com

Trying to wrap my brain around this, thanks.

Brett

When you hover over a link, are you sure that the `href` attribute has the `https://` written in it? If you only include that script on your index page, it is possible for someone to navigate to another page without https. — Kyle, Nov 13 '12 at 21:26
for files within the CART directory, they are going through HTTPS. If I click a link in the main nav when in a CART diretory page, I leave HTTPS. If I type in a URL of page (not the index.php page in the CART directory), no HTTPS. I'm trying to understand how/why HTTPS is being enforced when browsing to other pages in the CART directory from the index.php page. — Brett, Nov 13 '12 at 21:34

Samuel Cook · Answer 1 · 2012-11-13T21:32:43.100

1

I would recommend adding this bit of code to your .htaccess file (if your running Apache) in your root directory.

<IfModule mod_rewrite.c>
    RewriteEngine on

    RewriteCond %{HTTPS} =off
    RewriteRule ^DIRECTORY1|DIRECTORY2|DIRECTORY3 https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    RewriteCond %{HTTPS} =on
    RewriteCond %{REQUEST_URI} !^/DIRECTORY1|DIRECTORY2|DIRECTORY3
    RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>

Where you replace DIRECTORY1,DIRECTORY2, etc. with the directories that you want to force HTTPS on, then doing it in reverse (the code just below), by saying if not DIRECTORY1,DIRECTORY2, etc. then redirect to HTTP.

Hope this helps

edited Nov 13 '12 at 21:32

answered Nov 13 '12 at 21:26

Samuel Cook

16,620
7
50
62

You sure op is working with Apache? And if so, don't you think you should include a check for mod_rewrite being enabled? – Madbreaks Nov 13 '12 at 21:31
good call on mod_rewrite. I assume all servers are set up like mine :/ – Samuel Cook Nov 13 '12 at 21:33
A quick scan of the PHP source code shows that only the NSAPI and ISAPI SAPI module sets the variable "HTTPS". The OP seems to have some kind of duel setup, probably necessitated by the absence of a critical extension needed by CART. The rest of the site likely uses Apache SAPI, that's why it's not redirecting--the trigger variable isn't there. – cleong Nov 13 '12 at 22:16
??? I have no idea what all this is. Dual setup? The staging site is hosted on RS Cloud. Critical Extension for the CART directory? – Brett Nov 13 '12 at 22:24

Madbreaks · Answer 2 · 2012-11-13T22:06:00.583

You answered your own questions in your question:

How is this working this way? How is the HTTPS staying active for pages within the CART directory?

...when you said:

I've added the following code to one page, the index.php page of my CART directory.

See? You're enforcing HTTPS requirement for pages in your cart directory, but not elsewhere. Which reflects what you're seeing on your site. If you want to require HTTPS site-wide, considering using your webserver to enforce that requirement. For example with Apache and mod_rewrite you might try something like this:

<IFModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IFModule>

EDIT

In a comment in your post you say "I'm trying to understand how/why HTTPS is being enforced when browsing to other pages in the CART directory from the index.php page". My guess (and it is a guess since you have not shown us your code) is that those URLs are built in a ssl-agnostic way, like this:

<a href="/cart/some_page.html">I'm SSL-enabled on a page with HTTPS in the address bar</a>

Again though, without seeing your code, it's impossible to say.

Cheers

I'm only placing that PHP code on one page, no other pages within the CART directory. — Brett, Nov 13 '12 at 21:55
Yes. Point being, the `` element doesn't care if it's https or not, it'll be formatted in whichever way the page it's on was requested. — Madbreaks, Nov 13 '12 at 22:38

score 1 · Answer 3 · answered Sep 29 '14 at 00:26

<?php 
// Require https
if ($_SERVER['HTTPS'] != "on") {
    $url = "https://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
    header("Location: $url");
    exit;
}
?>

Try to add this on the file you're trying to access in HTTPS and it will force the browser to load in HTTPS.

Force users to access my page over HTTPS instead of HTTP?

3 Answers3