How To Find Out If You are Using HTTPS Without $_SERVER['HTTPS']

Question

I've seen many tutorials online that says you need to check $_SERVER['HTTPS'] if the server is connection is secured with HTTPS. My problem is that on some of the servers I use, $_SERVER['HTTPS'] is an undefined variable that results in an error. Is there another variable I can check that should always be defined?

Just to be clear, I am currently using this code to resolve if it is an HTTPS connection:

if(isset($_SERVER['HTTPS']))
{
    if ($_SERVER["HTTPS"] == "on") 
    {
        $secure_connection = true;
    }
}

Answer 1

You could check $_SERVER['SERVER_PORT'] as SSL normally runs on port 443, but this is not foolproof.

Answer 2

You could check $_SERVER['REQUEST_URI']. I believe it will start with either "HTTP://" or "HTTPS://" as appropriate. You could also check $_SERVER['SERVER_PORT'] for 80 vs. 443, though of course it's possible to run both types of server on alternate ports, so that's perhaps less reliable.

Answer 3

Chacha, per the PHP documentation: "Set to a non-empty value if the script was queried through the HTTPS protocol." So your if statement there will return false in many cases where HTTPS is indeed on. You'll want to verify that $_SERVER["HTTP"] exists and is non-empty. In cases where HTTPS is not set correctly for a given server, you can try checking if $_SERVER['SERVER_PORT'] == '443'.

Answer 4

As per hobodave's post: "Set to a non-empty value if the script was queried through the HTTPS protocol."

if (!empty($_SERVER['HTTPS']))
{
    $secure_connection = true;
}

Answer 5

This one should always work :

if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off'
    || $_SERVER['SERVER_PORT'] == 443) {

    $secure_connection = true;
}

It works when $_SERVER['HTTPS'] is undefined, and it is compatible with the particular behaviour encountered on IIS.

as read in php.net documentation and user comments :

1) Set to a non-empty value if the script was queried through the HTTPS protocol.

2) Note that when using ISAPI with IIS, the value will be "off" if the request was not made through the HTTPS protocol. (same behaviour has been reported for IIS7 running PHP as a Fast-CGI application)

Also, because apache 1.x servers, and some broken server installations, might not have $_SERVER['HTTPS'] defined even if connection is running through SSL, it may be a good idea to add an additional "port 443" test. If port is 443 you can assume it is a SSL connection.