Link to home
Start Free TrialLog in
Avatar of U_S_A
U_S_A

asked on

HTTPS for signup & login - HTTP for all other pages

Hi Experts,

We have an ad revenue website which requires our members to create an account and login to use it.  Around mid March we switched all web pages to https:// -- After we took a big revenue hit, we decided to go back to http:// - We made the switch today.

We'd like to have the entire website run on http:// except for the signup page (https://www.domainname.com/signup.php) and the login page https://www.domainname.com/index.php  - We are not collecting any financial information or address information in case you are wondering.   After one logs in, they are taken to what we call the home page.  We'll call it homepage.php and they can navigate from there to wherever they want to go.  While they are logged in, they never return to index.php or signup.php.

Our desire is to use .htaccess to force all users to http:// unless they are on signup.php or index.php.  After they log in, we want them to be forced to http://www.domainname.com/homepage.php and every webpage they access there after,while logged in, would start with http://.

Here is our .htaccess file 

php_flag zlib.output_compression On

Options +FollowSymLinks
RewriteEngine  on
RewriteBase    /

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ profile.php?id=$1

# enabled https for website 3/14/17
#RewriteCond %{HTTPS} off
#RewriteRule ^(.*)$ https://www.domainname.com/$1 [R=301,L]

# disabled https setup 4/10/17
RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ http://www.domainnacom.com/$1 [R=301,L]

# Make all requests have the www. in them
RewriteCond %{HTTP_HOST} ^domainnacom\.com [NC]
RewriteRule ^(.*)$ http://www.domainnacom.com/$1 [R=301,L]

Open in new window


Note these lines where we enabled and forced everything to https:// for the entire website - 3/14/17

Then note we commented this out and created a few lines forcing http:// for all webpages.

We also have lines directing http://domainname.com to http://www.domainname.com  (adding www) - not sure if we did this correctly.

We have 2 issues :
1) some users are getting redirect errors with our current .htaccess file settings - not all users,, just some.
https://puu.sh/vg4I3/7100bc8666.png 
https://www.screencast.com/t/cxhWvAsWIT 

We tell them to clear cache, and restart browser,, but that does not seem to fix it for them.

#2) as described earlier we would like to get signup.php and index.php to be the only webpages to begin with https:// 

Thank you in advance for your help.
Avatar of Dr. Klahn
Dr. Klahn
This should rewrite any incoming requests for signup.php and index.php to HTTPS, and all else to HTTP, per your specification.  The placement of these rewrites is critical.  The [L] makes these the last rewrites for that request, and any rules located after these that might still apply will not be examined.  Note that the rewrites for signup.php and index.php do not check whether the request is HTTP or HTTPS - it's rewritten to HTTPS unconditionally rather than do another compare to see if HTTPS is on or off.

IMPORTANT:  This is a brute-force solution.  The signup.php and index.php pages must be SELF-CONTAINED without reference to external resources.  All other requests are rewritten to HTTP and if (for example) images were referenced by URL within the signup.php or index.php pages, they could be pulled in as HTTP creating a mixed-mode page - partly HTTP, partly HTTPS.

RewriteCond %{REQUEST_URI} ^signup\.php$                        [NC,OR]
RewriteCond %{REQUEST_URI} ^/signup\.php$                       [NC]
RewriteRule .* https://signup.php [L]

RewriteCond %{REQUEST_URI} ^index\.php$                        [NC,OR]
RewriteCond %{REQUEST_URI} ^/index\.php$                       [NC]
RewriteRule .* https://index.php [L]

RewriteCond %{HTTPS} on
RewriteRule .* http://%{REQUEST_URI} [L]

Open in new window


As far as redirecting domainname.com to www.domainname.com, I think it's easier to make domainname.com a permitted alias for the vhost.

#
# ServerName: The primary name for this virtual host
# ServerAlias: Other acceptable names for this virtual host
# UseCanonicalName:  Use ServerName to build URLs referring to itself
#
ServerName www.domainname.com
ServerAlias domainname.com www.domainname.*
UseCanonicalName on

Open in new window


As a side note, I would put all this in the httpd.conf configuration file for the vhost rather than in an .htaccess file.  It will then be clear to the next web site maintainer that these rules exist.  I never look at the contents of .htaccess files, myself.
Avatar of Julian Hansen
Julian Hansen
Flag of South Africa image
We'd like to have the entire website run on http://
Why not just put the whole site on HTTPS?
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image
It might help if we understood the motivation to change to HTTPS.  Were you under attack?  What is the continuing motivation to put sign up  and log in  under HTTPS?
Avatar of Julian Hansen
Julian Hansen
Flag of South Africa image
It might help if we understood the motivation to change to HTTPS
I am guessing because it is a login page. The post talks about making HTTPS only for login - rest of the site for HTTP - so if they plan on using HTTPS for the login - why not keep the rest of the site there?
ASKER CERTIFIED SOLUTION
Avatar of Jim Riddles
Jim Riddles
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image
Jim: That's kind of what I was thinking, too.  I'm guessing the reason they are taking the SEO hit is because the site is already well indexed using the HTTP protocol.  It would seem right to accept the HTTP requests and simply redirect the browser 301 to the equivalent HTTPS page.  I believe that this should be OK for all pages.  A well-behaved browser that gets a 301 moved permanently header will follow the redirection and not use an older cached version.
Avatar of U_S_A
U_S_A

ASKER

We originally thought to go all https:// only for the login and signup pages.  We did not know how to do that just for those 2 pages and made the entire website https://  -- Browsers like FireFox are specifically telling users that the page in insecure when they are logging in (especially in the login fields - like email and password) -- We believe this discourages users to login, feeling their info needs to be secure.   It's our opinion that the website does not maintain any information that needs to travel via SSL.  We do provide SSL for payment pages , which actually port their upgrade requests to paypal.  Paypal collects their financial data and we do not store any real life information for users.

Later the reason for switching back to https:// wasn't so much an SEO decision but it was a decision based on ad revenue.  This website generates revenue from ad clicks and ad impressions.  We noticed a significant drop in cost-per-click when we switched to https:// - We've read that when other websites switch to https:// they also experience a drop in revenue.  Ads are displayed based on a bidding process.  When non SSL compliant bidders cannot bid on ads (because we are running everything under SSL) then there are less competition and we end up having to settle for less to fill our ad space.  

Thank you everyone for asking about this.
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image
Ahh, now that I understand better, it all makes sense.  I'm guessing that login and signup don't really need to serve tons of ads for your revenue to remain strong, so you might get past the problem this way...

1. Put everything under HTTP.
2. Add a function like this to the top of the login and signup scripts.

See it in action here: http://iconoun.com/demo/go_https.php
<?php // demo/go_https.php
/**
 * https://www.experts-exchange.com/questions/29015335/HTTPS-for-signup-login-HTTP-for-all-other-pages.html#a42088166
 *
 * Demonstrate how to use "go to HTTPS" in a PHP script
 */
error_reporting(E_ALL);


function go_https()
{
    if (empty($_SERVER["HTTPS"])) {
        $req = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
        header("HTTP/1.1 301 Moved Permanently");
        header("Location: $req");
        exit;
    }

    return;
}

go_https();
echo "Check the URL now.";

Open in new window

Avatar of U_S_A
U_S_A

ASKER

The solutions about htaccess continue to do a redirect loop.  The https://iconoun.com/demo/go_https.php solution did not work either or us, with our current htaccess configuration.

We went on to come up with a solution on our own.

This is what our htaccess looks like now and it works for us.  We ended up forcing the signup and login pages to load as https://  using php code thanks to Jim Riddles.  This gives the users a secure page to login with.  We then added code in the header which forced pages to http:// only if the user was logged in.  Thank you all for your suggestions and help.

php_flag zlib.output_compression On

Options +FollowSymLinks
RewriteEngine  on
RewriteBase    /

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ profile.php?id=$1

# Make all requests have the www. in them
RewriteCond %{HTTP_HOST} ^domainnacom\.com [NC]
RewriteRule ^(.*)$ http://www.domainnacom.com/$1 [R=301,L]

Open in new window


We disabled the forcing of all users to http:// by removing this:

RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ http://www.domainnacom.com/$1 [R=301,L]

Open in new window

Avatar of U_S_A
U_S_A

ASKER

See my last post.  Thank you for the help!!