?
Solved

Enforce SSL connection

Posted on 2005-02-28
8
Medium Priority
?
609 Views
Last Modified: 2008-02-01
Hello.
How to insure that connection is SSL or require user agent (client)
to attempt to make SSL connection?

I am hosting web site at some PHP host. They have a default SSL sertificate.
I have one page which authenticates and gives sensetive data to the client.
When client connects, I would like to check does the client try secure connection.
If not, I'd like to transform the connection to secure mode.

I don't believe that I can use:
$secureconnection=($SERVER_PORT==443);
to check secure mode because my host owner can use different port for SSL.
Or, can I rely on this?

The second part of the question is the redirection, if initial request is not in secure mode.
Can I use:
$my_page = "https//my_domain.com/my_page.htm";
header(""Location: "" . $my_page  );
I am not sure will this work because I think that this statement sends header back.
But, I need to enforce my server to move into https and prompt user agent to do the same.

Thank you.
0
Comment
Question by:beaverton8770
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 3

Assisted Solution

by:theevilworm
theevilworm earned 800 total points
ID: 13428633
Asuming you are using Apache/mod_ssl, there are environment variables available to check for an SSL connection (can be more useful than $_SERVER['SERVER_PORT']), documented here: http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25

To test whether the client connected with SSL you can use $_SERVER['HTTPS'] e.g (with redirect to secured, current URL);

<?php
if ( !isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on' ) {
   header ('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
   exit();
}
?>
0
 

Author Comment

by:beaverton8770
ID: 13430627
Thank you very much theevilworm.

Your answer seems close to the solution, but it still does not work.
The positive part is that browsers window appeares and warns about unknown certificate.
The negative parts are

1. the browser receives the message:
HTTP Error 403 - Forbidden
2. In browser's address bar, it is still http://www...., not https://www....

And, it seems you did not read my question in full.
My question was about php header statement. I am citing it again:
"I am not sure will this work because I think that this statement sends header back" ...
it seems instructs server to send header back to browser.
Instead of this I would like to make opposite action,
I would like browser to send to serever a secure request or somehow
establish a secure connection.

Thank you again.
0
 
LVL 7

Expert Comment

by:sjohnstone1234
ID: 13433691
If the script realises that the client has connected insecurely, it will need to send a Location: header back to the browser (and an HTTP redirect status code, this is taken care of automatically by header()) to inform it of the correct, secure URL to use.

Note that if the "are-we-using-SSL" check takes place only on a page that processes the submission of a form, the data will initially be sent insecurely before the script can respond with the Location: header and redirection to a secure URL, thus defeating the purpose of using SSL. Therefore you should ensure that the "action" attribute of the form explicitly references the https:// URL.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:beaverton8770
ID: 13435017
Thank you very much for explanation of mechanics of the server/browser dialog.
But, how to solve "negative parts" 1 and 2?
0
 
LVL 7

Expert Comment

by:sjohnstone1234
ID: 13435080
The "forbidden" message is usually returned by the server itself (rather than by a script) as a result of trying to access a page that is restricted in some way. Certainly the code provided by theevilworm can't generate a Forbidden response on its own.

Could you copy and paste the header() line you've used? My suspicion is that the client is being redirected to an incorrect secure URL...
0
 

Author Comment

by:beaverton8770
ID: 13435198
Thank you for response. This is the entire Web-page.
<?php

//Half works: causes certificate warning to appear:
//HTTP Error 403 - Forbidden
if ( !isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on' ) {
   header ('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
   exit();
}

?>

<html><head><title>Test</title></head><body><pre>

Now, you are in secure mode ...

</pre></body></html>
0
 
LVL 7

Accepted Solution

by:
sjohnstone1234 earned 1200 total points
ID: 13435271
Ok, and does your secure server have the same namespace as your non-secure server? In other words, if you take the URL for your non-secure script, for instance:

http://www.example.com/some/dir/script.php

Then replace the "http" with "https" and try that, does that give the secure version of your script? Or does it give the same Forbidden error?

If you get the Forbidden error, it may be that (depending on your web host) you might need to specify an alternative URL, possibly something like this (where example.net is your web host's domain, not yours):

https://secure.example.net/~myusername/some/dir/script.php

Just one thought, let us know how that goes either way...
0
 

Author Comment

by:beaverton8770
ID: 13435706
You are absolutely right,  sjohnstone1234.

I've called my host and found that it
uses different namespace for secure instance of the entire site:
It is https://medea.safe-order.net/<key><path_inside_site>

So, I don't need all this precautions, because all that prefix
triggers my server into secure mode automatically.

But, being paranoid, I will use the code like:
<?php
if( !isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on' ) {
    echo "<html><body>Not secure</body></html>";
    exit();
}else{
    echo "<html><body>Secure</body></html>";
}
?>

I've tested it, it generates "Secure" when https... used
and "Non secure" when http... used.

Thank you very much. My problem seems completely resolved.
But, I have to give some points to theevilworm's comments  which were
valuable for me for finding the solution.











0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question