Forcing a user to use a page under HTTPS

EdwardMartinIII · 2011-01-12 19:49:48 UTC

Is there a way that my site can tell if a User is looking at a page (say, a page that collects troubleshooting information from the User) and tell if that page is being viewed via HTTP or HTTPS?

If they are looking at it via HTTP, I’d very much like to basically do a refresh of the page into HTTPS.

As it stands, all LINKS to that page from the website call it under HTTPS, so this is only for those weird-beard occasions when someone MANUALLY types in “http://www.blah-blah.html”

Thanks!

erikjacobsen · 2011-01-12 21:00:40 UTC

In that case you really don’t need to do the redirect for them, just tell them not to fool around

But you can probably in PHP just read $_SERVER[“SERVER_PORT”], and if it’s 80, then the user has been naughty.

EdwardMartinIII · 2011-01-12 21:11:19 UTC

“…just tell them not to fool around…”

Heh – I asked if it would be acceptable to tell the User “You are on an insecure page,” and was told “No, absolutely not – if they have manually typed in HTTP, then we need to bounce them immediately to the HTTPS page.”

I know how to do a redirect on a page-load, but I don’t know how to make it conditional based on the status of the connection, nor how to query the connection’s state.

I presume there might be something right in the Page onLoad command, such if a certain condition isn’t met (if you’re not using HTTPS), then it immediately redirects you to the same page, but with the HTTPS prefix.

I’m still a bit new to some of this.

The · 2011-01-13 23:40:36 UTC

[php]<?php
if(!isset($_SERVER[‘HTTPS’])){
header(“Location: https://secure.mysite.com{$_SERVER[‘REQUEST_URI’]}”);
exit;
}
?>[/php]

EdwardMartinIII · 2011-01-13 23:48:51 UTC

I tried putting this into my .htaccess file (beh.com is not my actual domain):

And that didn’t quite seem to do anything.

So, in order to see if the redirect was even working, I rewrote that line in the .htaccess to

Okay, so that seemed okay.

However, now I can’t get it to NOT forward to google.com.

So, I looked more carefully at the .htaccess file on the server, and the line has been CHANGED to read:

What the heck?! The prefix (which is the big difference) has been stripped away.

…and it still forwards to google.com.

I am… disappoint. Where have I gone wrong with this?

EdwardMartinIII · 2011-01-18 16:48:59 UTC

Okay, the code below goes onto the page I want to force to HTTPS, right?

Is there a server-side way of enforcing HTTPS?
-=-=-=-=-