-1

I used info from this answer (https://stackoverflow.com/a/85867/3271766 - along with the contribution from Dave1010) to allow me to force a page to load securely (https://). This works beautifully!

Now, I want to do the opposite. When clicking a relative link (to a normal, non-secure page) from a secure page, I want to force that page to load non-securely (http://). I don't want to use absolute links to accomplish this. They need to stay relative. Instead, I'd rather use a piece of PHP code similar to what I used to force pages to load securely.

How can this be done? Thanks, in advance, for your help.

The code I used (in each page's head tags) to force pages to load securely is:

<?php
    // WORKING: FORCE SECURE - Force page to load securely (http:// > https://)
    if(empty($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] !== "on")
    {
        header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
        exit();
    }
?>

I tried the following, but it stops the page from loading altogether:

<?php
    // NOT WORKING: FORCE NON-SECURE - Force page to break out of secure protocol (https:// > http://)
    if(empty($_SERVER["HTTP"]) || $_SERVER["HTTP"] !== "on")
    {
        header("Location: http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
        exit();
    }
?>

Is there a way to modify this to make it work?

(By the way, in case anyone is wondering, I am doing this because a third-party sharing tool my client wants to use does not have a valid security certificate. Thus, portions of the sharing tool either do not load, or do not function. I have contacted the vendor repeatedly, but they have not responded. I have removed the tool from the secure pages only. However, my client wants to use this tool on all other pages, on which it works perfectly, so long as it is not accessed securely.) :-)

Regards, Jeremy

Community
  • 1
  • 1
Jeremy
  • 1
  • 1

1 Answers1

0

Change

if(empty($_SERVER["HTTP"]) || $_SERVER["HTTP"] !== "on")

to

if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on'){
    $url = 'http://'. $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
    header("Location: $url");
}
JRL
  • 840
  • 6
  • 18
  • Thanks for you response! Unfortunately, for some reason, that gives me the following error: "Notice: Undefined index: HTTPS in /home/content/t/h/e/thesheepfold/html/new/needs.php on line 36 Warning: Cannot modify header information - headers already sent by (output started at /home/content/t/h/e/thesheepfold/html/new/needs.php:36) in /home/content/t/h/e/thesheepfold/html/new/needs.php on line 38" (Basically, lines 36 and 38 are the "if" and "header" lines of the code I provided above. Any ideas? – Jeremy May 28 '14 at 21:57
  • That is because you've already echoed something before the check. This check needs to be before ANY data is echoed or sent to the browser. It appears though that there is some weird server configuration problem, as you're using that SAME EXACT SERVER VARIABLE in other parts of your site. – JRL May 28 '14 at 22:00
  • You're right... I tried putting it ahead of everything else, but it just put the page into a redirect loop. I know I'm using the same server variable to detect the URL in certain instances. Interestingly, I tried the code on a different site, which is about as basic as they come. It didn't work there either. I'm wondering if there's an issue with something the hosting provider is doing? I'll have to dig deeper to figure out where other issues may lie. I'll update this post with what I find out. Thanks so much for your help! I'll be back. :-) – Jeremy May 28 '14 at 22:20
  • Strange... it's still putting the browser in a redirect loop. Something weird is going on with this site. :-) – Jeremy May 28 '14 at 22:24
  • Do you still have the functionality in place somewhere, that was supposed to switch from HTTP to HTTPS in the first place? Sounds like you might be (inadvertently) trying to do both at the same time here … that would explain an endless redirect, because your server is trying to send the client from HTTPS to HTTP and vice versa … – CBroe May 28 '14 at 22:36
  • Hi CBroe! Thanks for your comment! That's a great idea, though I don't think it applies here, since each PHP code snippet is only being used once per page. So, for instance, the version that sends an HTTP page to HTTPS is only on the pages that need to load securely. However, every other page would get the code that sends the client from HTTPS to HTTP, ensuring that the page breaks out of the secure protocol. I still haven't figured out why I'm getting this endless redirect. So frustrating... :-) – Jeremy May 29 '14 at 19:30