-1

I need a PHP if/else statement that if the sign-in.php or register.php page is access over HTTP I would like to redirect to HTTPS else if any other page is accessed over HTTPS redirect to HTTP plus have any query string appended for example if a user tries to access a restricted page (http://domain.com/my-account.php) the site redirects the user to http://domain.com/sign-in.php?redirect=my-account however, I would like the page to redirect to https://domain.com/sign-in.php?redirect=my-account.

I know I could simply change the header redirects to include https instead of http but users may type http://domain.com/sign-in.php?redirect=my-account so just need to ensure if this happens sign in (or others) happen over https.

Any help is appreciated

puks1978
  • 3,667
  • 11
  • 44
  • 103
  • I found a couple of scripts that are placed directly on the page (like the below) that needs to be secure but I was hoping all checks could be done in a single statement for example if(page == 'sign-in.php' || page == 'register.php') etc and placed in a redirect include which I include at the top of the page. – puks1978 Mar 19 '13 at 21:31

5 Answers5

4

Here You go. 

//force the page to use ssl 
if ($_SERVER["SERVER_PORT"] != 443) {
    $redir = "Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
    header($redir);
    exit();
}

$_SERVER, It is an array containing information such as headers, paths, and script locations.

Eswar Rajesh Pinapala
  • 4,841
  • 4
  • 32
  • 40
  • Thanks for this. I was about to edit the question to include the query string as well. Some times the page will be sign-in.php?redirect=my-account for example – puks1978 Mar 19 '13 at 21:22
  • Dint get you, Can you explain it in the question by editing it? – Eswar Rajesh Pinapala Mar 19 '13 at 21:23
  • Just maintain a session. If the user is loggedIn, set the Session Variable , something like $_SESSION['loggedIn'] = true; On all the Pages that you need to get redirected if not logged In, At the top of all the pages check for the $_SESSION['loggedIn'] variable. if(session variable != true){ //redirect to signin page , set the redirect param as well. } – Eswar Rajesh Pinapala Mar 19 '13 at 21:31
0

You can check against $_SERVER, specifically 'SERVER_PROTOCOL'

http://php.net/manual/en/reserved.variables.server.php

zajd
  • 761
  • 1
  • 5
  • 18
0

There should be a part of your code that is always run on every page. In an MVC it would be in your base controller. Other designs may include an init.php file on every page.

In this file have a whitelist of pages that require HTTPS.

$requires_https = array(
    'sign-in.php' => TRUE,
    'register.php' => TRUE
);

Then you need to determine which page was requested.

$url_info = pathinfo($_SERVER['REQUEST_URI']);
$page = $url_info['filename'];

Next check if you are on HTTP or HTTPS

$is_secure = ! empty($_SERVER['HTTPS']);

Finally you can do the checking:

if (isset($requires_https[$page]) AND ! $is_secure)
    header('Location: https://www.yoursite.com/' . $page);
elseif ( ! isset($requires_https[$page]) AND $is_secure)
    header('Location: http://www.yoursite.com/' . $page);

This could definitely be improved upon in the last part by using a custom redirect function and a site_url function that takes in the option of being secure or not and builds the proper URL.

It is worth mentioning that it generally doesn't matter if someone is left surfing in HTTPS. In fact most of Google's services are in HTTPS and with better internet connections surfing will eventually all be done in HTTPS. It is only important to make sure the pages that should be secure are secure, not make sure that pages that don't need to be secure aren't.

None
  • 5,491
  • 1
  • 40
  • 51
0
if ($_SERVER['SERVER_PORT'] != 443) {
   header("HTTP/1.1 301 Moved Permanently");
   header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
   exit();
}

Using part of an init class / script - You can run code to check if this page should require SSL prior, but this is the actual code to force redirect to SSL (and REQUEST_URI provides any dirs, etc.. to get the correct path).

Using on a single page (i.e. sign-in and register) - This will redirect the user to this page in SSL (put this code near the top).

The 301 Moved Permanently will also prevent any negative SEO.

Bartłomiej Semańczyk
  • 59,234
  • 49
  • 233
  • 358
Scott
  • 1
  • 1
0

(A more) complete method: (includes the query string)

To determine if on https:

$secure = (!empty(filter_input(INPUT_SERVER, 'HTTPS')) &&
  filter_input(INPUT_SERVER, 'HTTPS') !== 'off') ||
  filter_input(INPUT_SERVER, 'SERVER_PORT') == 443;

as per https://stackoverflow.com/a/2886224

Then to redirect and include the query string:

if($secure){
  header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
}

Using REQUEST_URI instead of PHP_SELF will include the query parameters (things after the ? in the URL).

And as always filter your user input (including these) with filter_input() or the like.

Community
  • 1
  • 1
codywohlers
  • 41
  • 1
  • 8