• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 612
  • Last Modified:

Enforce SSL connection

Hello.
How to insure that connection is SSL or require user agent (client)
to attempt to make SSL connection?

I am hosting web site at some PHP host. They have a default SSL sertificate.
I have one page which authenticates and gives sensetive data to the client.
When client connects, I would like to check does the client try secure connection.
If not, I'd like to transform the connection to secure mode.

I don't believe that I can use:
$secureconnection=($SERVER_PORT==443);
to check secure mode because my host owner can use different port for SSL.
Or, can I rely on this?

The second part of the question is the redirection, if initial request is not in secure mode.
Can I use:
$my_page = "https//my_domain.com/my_page.htm";
header(""Location: "" . $my_page  );
I am not sure will this work because I think that this statement sends header back.
But, I need to enforce my server to move into https and prompt user agent to do the same.

Thank you.
0
beaverton8770
Asked:
beaverton8770
  • 4
  • 3
2 Solutions
 
theevilwormCommented:
Asuming you are using Apache/mod_ssl, there are environment variables available to check for an SSL connection (can be more useful than $_SERVER['SERVER_PORT']), documented here: http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25

To test whether the client connected with SSL you can use $_SERVER['HTTPS'] e.g (with redirect to secured, current URL);

<?php
if ( !isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on' ) {
   header ('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
   exit();
}
?>
0
 
beaverton8770Author Commented:
Thank you very much theevilworm.

Your answer seems close to the solution, but it still does not work.
The positive part is that browsers window appeares and warns about unknown certificate.
The negative parts are

1. the browser receives the message:
HTTP Error 403 - Forbidden
2. In browser's address bar, it is still http://www...., not https://www....

And, it seems you did not read my question in full.
My question was about php header statement. I am citing it again:
"I am not sure will this work because I think that this statement sends header back" ...
it seems instructs server to send header back to browser.
Instead of this I would like to make opposite action,
I would like browser to send to serever a secure request or somehow
establish a secure connection.

Thank you again.
0
 
sjohnstone1234Commented:
If the script realises that the client has connected insecurely, it will need to send a Location: header back to the browser (and an HTTP redirect status code, this is taken care of automatically by header()) to inform it of the correct, secure URL to use.

Note that if the "are-we-using-SSL" check takes place only on a page that processes the submission of a form, the data will initially be sent insecurely before the script can respond with the Location: header and redirection to a secure URL, thus defeating the purpose of using SSL. Therefore you should ensure that the "action" attribute of the form explicitly references the https:// URL.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
beaverton8770Author Commented:
Thank you very much for explanation of mechanics of the server/browser dialog.
But, how to solve "negative parts" 1 and 2?
0
 
sjohnstone1234Commented:
The "forbidden" message is usually returned by the server itself (rather than by a script) as a result of trying to access a page that is restricted in some way. Certainly the code provided by theevilworm can't generate a Forbidden response on its own.

Could you copy and paste the header() line you've used? My suspicion is that the client is being redirected to an incorrect secure URL...
0
 
beaverton8770Author Commented:
Thank you for response. This is the entire Web-page.
<?php

//Half works: causes certificate warning to appear:
//HTTP Error 403 - Forbidden
if ( !isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on' ) {
   header ('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
   exit();
}

?>

<html><head><title>Test</title></head><body><pre>

Now, you are in secure mode ...

</pre></body></html>
0
 
sjohnstone1234Commented:
Ok, and does your secure server have the same namespace as your non-secure server? In other words, if you take the URL for your non-secure script, for instance:

http://www.example.com/some/dir/script.php

Then replace the "http" with "https" and try that, does that give the secure version of your script? Or does it give the same Forbidden error?

If you get the Forbidden error, it may be that (depending on your web host) you might need to specify an alternative URL, possibly something like this (where example.net is your web host's domain, not yours):

https://secure.example.net/~myusername/some/dir/script.php

Just one thought, let us know how that goes either way...
0
 
beaverton8770Author Commented:
You are absolutely right,  sjohnstone1234.

I've called my host and found that it
uses different namespace for secure instance of the entire site:
It is https://medea.safe-order.net/<key><path_inside_site>

So, I don't need all this precautions, because all that prefix
triggers my server into secure mode automatically.

But, being paranoid, I will use the code like:
<?php
if( !isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on' ) {
    echo "<html><body>Not secure</body></html>";
    exit();
}else{
    echo "<html><body>Secure</body></html>";
}
?>

I've tested it, it generates "Secure" when https... used
and "Non secure" when http... used.

Thank you very much. My problem seems completely resolved.
But, I have to give some points to theevilworm's comments  which were
valuable for me for finding the solution.











0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now