Jump to content

Redirect to HTTPS only when logged in

mds1256

By mds1256
in PHP Coding Help

 Share

Recommended Posts

mds1256 Advanced Member

mds1256

Posted
Posted

Hi

 

I am developing a website and when you first browse to the website you can either use http or https but when you login I want it to always use HTTPS (even if someone tries to type in http rather than https to manually browse to a page once logged in).

 

My idea is to post the form using https://mywebsite.com/form.php (as an example). So that means the login details (username and password) will be posted securely.

 

Then from there always force SSL / HTTPS on page requests.

Link to comment
https://forums.phpfreaks.com/topic/273549-redirect-to-https-only-when-logged-in/
Share on other sites
mds1256 Advanced Member

mds1256

Posted
  • Author
Posted

Why not just force HTTPS for everyone? Aren't the anonymous users worth protecting too?

 

Unnecessary overhead I guess as no personal / confidential data will be transferred when a user is not logged in.

 

Just don't want the overhead of SSL when users are just browsing around the site.

requinix Prolific Member

requinix

Posted
Posted (edited)

With a decent server SSL for everyone shouldn't create any noticeable overhead.

 

Since Apache has no concept of a logged-in user, make your PHP code deal with the redirection. Assuming you have $_SERVER["HTTPS"]

if ($_SERVER["REQUEST_METHOD"] == "GET" && $_SERVER["HTTPS"] == "on" && /* not logged in */) {
    header("Location: http //{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}");
    exit;
} else if ($_SERVER["REQUEST_METHOD"] == "GET" && $_SERVER["HTTPS"] == "off" && /* logged in */) {
    header("Location: https //{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}");
    exit;
}

[edit] Add the colons back in

[edit 2] Screwy highlighting

Edited by requinix
kicken Prolific Member

kicken

Posted
Posted

Also the idea of not wanting to have the whole site as https is also to help Google index this as google doesnt index https.

 

That is not true.  Google indexes https just fine.  My site forces the use of SSL for everyone and it exists in google's indexes just fine.

 

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

If your session id cookie is securely (the point of this thread) set up, it will only be sent by the browser when the request is via the https protocol. So, a visitor that is logged in via https won't appear to be logged in when he makes a http request because the session id cookie won't be sent with the request and you won't know on the server that you should redirect them to the https protocol. You would need to put a flag in the URL (just a ?s that you would test if it isset) that indicates to the logic that it should redirect to the htpps protocol. Once the redirect occurs, the session id cookie would be sent by the browser with the https request and the visitor would be matched up with his session data file. If someone who isn't logged in tried to add the flag to the url, the only result would be to redirect to the https protocol, which should then remove the flag from the url and redirect back to the http protocol.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.