Force A Secure Page Using PHP

Tags:
Force A Secure Page Using PHP

Many pages, most often pages with forms or pages that serve personal information, require the need to be served over a secure connection. Even recreational internet users have gotten accustomed to looking for "lock" icon within their browser before inputting data into a web form. For the benefit of the business and its website visitors, it's important to ensure that a form page be secured.

To ensure that you page is served over a secure connection, you must first acquire a security certificate. Popular SSL certificate providers include Verisign, Thawte, and GoDaddy (whom I prefer). Once your SSL certificate has been installed on the server, you may add the following code snipped at the top of any page you would like secured:

The PHP Code

//force redirect to secure page
if($_SERVER['SERVER_PORT'] != '443') { header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); exit(); }

The above code forces the script to run on secure port 443 as opposed to port 80. Thus, the page is served securely.

2
Average: 2 (2 votes)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

Comments

Jason Murray replied on Mon, 2008/03/17 - 9:20am

This is great for environments where you are using the expected ports. How about:

// need the check for 'off' to support ISAPI with IIS
if ($_SERVER['HTTPS'] == '' || $_SERVER['HTTPS'] == 'off') {
header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
exit();
}

as a more general solution, especially where a non-standard port might be used for the development/test servers.

kkkkkkkkkkkkkkk... replied on Tue, 2008/03/18 - 12:14am

Yuk.

Yech.

Ewwwww.

You want to repeat this on every single page, or worry about include()'g this?

Don't do it the hard way.

 .htaccess / mod_rewrite is one of the most powerful tools for these situations; use it!

 Throw this into your root directory and never worry about it again! 

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

 

David Walsh replied on Tue, 2008/03/18 - 7:29am

I understand your tip KK.  Do you have an example of targetting this toward a specific page?  It looks like your snippet runs the entire site on SSL.

kkkkkkkkkkkkkkk... replied on Wed, 2008/03/19 - 9:30am

For a single page, inline PHP would probably better just so the implementation isn't hidden away, but I redirecting a single page would be something like this:

 
<code>RewriteCond %{REQUEST_URI} ^/somepage\.php$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]</code>

Also, my previous example is only one method, which redirects port 80 to https, however there's other techniques you could apply that would rewrite any non-SSL request (no matter which port) to SSL.

Keep up the good blogging!

kkkkkkkkkkkkkkk... replied on Wed, 2008/03/19 - 9:35am

Also, I was thinking about your method in the context of MVC, wherein you would probably have a routing mechanism; in such a setup, you could apply SSL selectively and easier using PHP above .htaccess, and this would allow lots of flexibility. However, I think for a high-performance website, .htaccess would be better on server resources as it would prevent Apache from having to hand off the request to PHP twice (only to have PHP hand it back to Apache, which would then hand it back to PHP). That, and the fact that you can easily convert a site (or sub dir.) all at once is the strength in .htaccess.

gedrox replied on Wed, 2008/04/30 - 4:48am

Don't forget that data received through POST will be lost after this redirect. Suggest adding empty($_POST) in the IF condition and/or adding absolute address in the action attribute with https protocol for forms which lead to the secure page.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.