Home » Php » Use PHP to check if page was accessed with SSL

Use PHP to check if page was accessed with SSL

Posted by: admin April 23, 2020 Leave a comment

Questions:

Is there a way to check if the current page was opened with SSL? For example, I want my login page (login.php) to check if it was accessed using SSL (https://mywebserver.com/login.php). If not, redirect them to the SSL version of the page.

Pretty much, I want to enfore that the user uses the page securely.

How to&Answers:

You should be able to check that $_SERVER['HTTPS'] is set, e.g.:

if (empty($_SERVER['HTTPS'])) {
    header('Location: https://mywebserver.com/login.php');
    exit;
}

Answer:

Be careful. On my IIS server, $_SERVER[‘HTTPS’] is not empty but has the value ‘off’.

So i had to do

if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
    // no SSL request
}

Answer:

You’ll find this may not work if you are working over forwarded protocols. For example, Amazon’s ELB can handle SSL negotiation and interact with your app servers over port 80.

This block handles that:

    public function isSSL()
    {
        if( !empty( $_SERVER['https'] ) )
            return true;

        if( !empty( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' )
            return true;

        return false;
    }

Answer:

Well, Here is another chunk of code. The code will return full url with https/http.

<?php

/**
 * Check whether URL is HTTPS/HTTP
 * @return boolean [description]
 */
function isSecure()
{

    if (
        ( ! empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
        || ( ! empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
        || ( ! empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on')
        || (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443)
        || (isset($_SERVER['HTTP_X_FORWARDED_PORT']) && $_SERVER['HTTP_X_FORWARDED_PORT'] == 443)
        || (isset($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https')
    ) {
        return true;
    } else {
        return false;
    }

}
/**
 * Example Use
 */
define('APP_URL', (isSecure() ? 'https' : 'http') . "://{$_SERVER['SERVER_NAME']}".str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']));
echo APP_URL;


/**
 * +++++++++++++++++++++++++
 * OR - One line Code
 * +++++++++++++++++++++++++
 */
define('APP_URL', ((( ! empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || ( ! empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') || ( ! empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') || (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443) || (isset($_SERVER['HTTP_X_FORWARDED_PORT']) && $_SERVER['HTTP_X_FORWARDED_PORT'] == 443) || (isset($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https') ) ? 'https' : 'http') . "://{$_SERVER['SERVER_NAME']}".str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']));
echo APP_URL;

?>

Answer:

<?php
if ( !empty( $_SERVER['HTTPS'] ) ) {
  //do secure stuff
}else{
  //warn or redirect or whatever
}
?>

http://php.net/manual/en/reserved.variables.server.php

Answer:

Another method is to check for the existence of HTTPS cookies. First your server needs to send the browser a cookie with the secure flag:

Set-Cookie:some_key=some_value;secure

After your server has sent the browser the cookie, whenever the browser requests a page from your server, it will send along the secure cookie some_key=some_value only if it is requesting a HTTPS page. This means that if you see the existence of the cookie some_key=some_value you know that the browser is requesting a HTTPS page. Voila!

Browser support is very good, as this is fundamental to security. Browsers without support for HTTPS cookies are Firesheepable when users request pages from non-HSTSed domains.

For more info, see:

Answer:

Just to add that in case of nginx, the way to check for https is:

if (isset($_SERVER['SERVER_PORT']) &&
        ($_SERVER['SERVER_PORT'] === '443')) {
    return 'https';
}