PHP redirect to HTTPS if page is

Question

I need a PHP if/else statement that if the sign-in.php or register.php page is access over HTTP I would like to redirect to HTTPS else if any other page is accessed over HTTPS redirect to HTTP plus have any query string appended for example if a user tries to access a restricted page ( http://domain.com/my-account.php ) the site redirects the user to http://domain.com/sign-in.php?redirect=my-account however, I would like the page to redirect to https://domain.com/sign-in.php?redirect=my-account .

I know I could simply change the header redirects to include https instead of http but users may type http://domain.com/sign-in.php?redirect=my-account so just need to ensure if this happens sign in (or others) happen over https.

Any help is appreciated

Answer 1

Here You go.

//force the page to use ssl 
if ($_SERVER["SERVER_PORT"] != 443) {
    $redir = "Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
    header($redir);
    exit();
}

$_SERVER , It is an array containing information such as headers, paths, and script locations.

Answer 2

You can check against $_SERVER, specifically 'SERVER_PROTOCOL'

http://php.net/manual/en/reserved.variables.server.php

Answer 3

There should be a part of your code that is always run on every page. In an MVC it would be in your base controller. Other designs may include an init.php file on every page.

In this file have a whitelist of pages that require HTTPS.

$requires_https = array(
    'sign-in.php' => TRUE,
    'register.php' => TRUE
);

Then you need to determine which page was requested.

$url_info = pathinfo($_SERVER['REQUEST_URI']);
$page = $url_info['filename'];

Next check if you are on HTTP or HTTPS

$is_secure = ! empty($_SERVER['HTTPS']);

Finally you can do the checking:

if (isset($requires_https[$page]) AND ! $is_secure)
    header('Location: https://www.yoursite.com/' . $page);
elseif ( ! isset($requires_https[$page]) AND $is_secure)
    header('Location: http://www.yoursite.com/' . $page); 

This could definitely be improved upon in the last part by using a custom redirect function and a site_url function that takes in the option of being secure or not and builds the proper URL.

It is worth mentioning that it generally doesn't matter if someone is left surfing in HTTPS. In fact most of Google's services are in HTTPS and with better internet connections surfing will eventually all be done in HTTPS. It is only important to make sure the pages that should be secure are secure, not make sure that pages that don't need to be secure aren't.

Answer 4

if ($_SERVER['SERVER_PORT'] != 443) {
   header("HTTP/1.1 301 Moved Permanently");
   header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
   exit();
}

Using part of an init class / script - You can run code to check if this page should require SSL prior, but this is the actual code to force redirect to SSL (and REQUEST_URI provides any dirs, etc.. to get the correct path).

Using on a single page (ie sign-in and register) - This will redirect the user to this page in SSL (put this code near the top).

The 301 Moved Permanently will also prevent any negative SEO.

Answer 5

(A more) complete method: (includes the query string)

To determine if on https:

$secure = (!empty(filter_input(INPUT_SERVER, 'HTTPS')) &&
  filter_input(INPUT_SERVER, 'HTTPS') !== 'off') ||
  filter_input(INPUT_SERVER, 'SERVER_PORT') == 443;

as per https://stackoverflow.com/a/2886224

Then to redirect and include the query string:

if($secure){
  header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
}

Using REQUEST_URI instead of PHP_SELF will include the query parameters (things after the ? in the URL).

And as always filter your user input (including these) with filter_input() or the like.