tags:

views:

1828

answers:

5
+2  Q: 

Force HTTPS. How is it possible?

I've got just one page that I want to force as an HTTPS page (PHP on Apache). How do I do this without making the whole directory require HTTPS? Or, if you submit a form to an HTTPS page from an HTTP page, does it send it by HTTPS instead of HTTP?

Here is my example:

http://www.mysite.com/buyCrap.php

needs to only be accessed through:

https://www.mysite.com/buyCrap.php

Sure, I can put all of the links to this page pointed at the HTTPS version, but that doesn't stop some fool from accessing it through HTTP on purpose...

One thing I thought was putting a redirect in the header of the PHP file to check to be sure that they are accessing the HTTPS version:

if($_SERVER["SCRIPT_URI"] == "http://www.mysite.com/buyCrap.php"){ header('Location: https://www.mysite.com/buyCrap.php'); }

But that can't be the right way can it?

BTW, please pay no attention to the URL. I know that if it were actually a page where there was a shopping cart, etc. you would do it a different way. Think of it as a page from a site that sells one item for one price where you type in your credit card info to be submitted to a payment gateway on an external site for the express purpose of charging your card one time.

+11  A: 

You could do it with a directive and mod_rewrite on Apache:

<Location /buyCrap.php>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Location>

You could make the Location smarter over time using regular expressions if you want.

thebigjc  2008-09-17 17:53:37
Where would you put this? .htaccess file?
 2008-09-17 18:16:26
+1  A: 

Use $_SERVER['HTTPS'] to tell if it is SSL, and redirect to the right place if not.

And remember, the page that displays the form does not need to be fed via HTTPS, it's the post back URL that needs it most.

Edit: yes, as is pointed out below, it's best to have the entire process in HTTPS. It's much more reassuring - I was pointing out that the post is the most critical part. Also, you need to take care that any cookies are set to be secure, so they will only be sent via SSL. The mod_rewrite solution is also very nifty, I've used it to secure a lot of applications on my own website.

DGM  2008-09-17 17:54:29
It's true that the form itself doesn't need to be https, though it's a good idea for the majority of people who don't know this. If they are about to submit the form and notice that the lock icon isn't there, they might mistakenly assume that the form is insecure.
Graeme Perrow  2008-09-17 18:02:50
@Graeme: additionally nobody can be shure that the form will ever be sent through https. The whole form (displayed through http) might be a fake, submitting to an unknown or http cleartext site. Https is not just about encryption, it also authenticates the server.
Olaf  2008-09-29 20:02:22
A: 

The way I've done it before is basically like what you wrote, but doesn't have any hardcoded values:

if($_SERVER["HTTPS"] != "on")
{
    header("Location: https://" . $_SERVER["HTTP_HOST"] . #_SERVER["REQUEST_URI"]);
}
Adam Rosenfield  2008-09-17 17:56:15
You forgot to call exit() to ensure the script quits after the redirect.I usually wrap that in a function called requireSSL(). I can this call this at the top of any page I want to be encrypted.
Jesse Weigert  2009-01-13 11:20:46
A: 

Don't mix HTTP and HTTPS on the same page. If you have a form page that is served up via HTTP, I'm going to be nervous about submitting data -- I can't see if the submit goes over HTTPS or HTTP without doing a View Source and hunting for it.

Serving up the form over HTTPS along with the submit link isn't that heavy a change for the advantage.

JBB  2008-09-17 17:57:36
A: 

You shouldn't for security reasons. Especially if cookies are in play here. It leaves you wide open to cookie-based replay attacks.

Either way, you should use Apache control rules to tune it.

Then you can test for HTTPS being enabled and redirect as-needed where needed.

You should redirect to the pay page only using a FORM POST (no get), and accesses to the page without a POST should be directed back to the other pages. (This will catch the people just hot-jumping.)

http://joseph.randomnetworks.com/archives/2004/07/22/redirect-to-ssl-using-apaches-htaccess/

Is a good place to start, apologies for not providing more. But you really should shove everything through SSL.

It's over-protective, but at least you have less worries.

Kent Fredric  2008-09-17 17:58:15

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases