mds1256 Posted January 23, 2013 Share Posted January 23, 2013 Hi I am developing a website and when you first browse to the website you can either use http or https but when you login I want it to always use HTTPS (even if someone tries to type in http rather than https to manually browse to a page once logged in). My idea is to post the form using https://mywebsite.com/form.php (as an example). So that means the login details (username and password) will be posted securely. Then from there always force SSL / HTTPS on page requests. Quote Link to comment Share on other sites More sharing options...
requinix Posted January 23, 2013 Share Posted January 23, 2013 Why not just force HTTPS for everyone? Aren't the anonymous users worth protecting too? Quote Link to comment Share on other sites More sharing options...
mds1256 Posted January 23, 2013 Author Share Posted January 23, 2013 Why not just force HTTPS for everyone? Aren't the anonymous users worth protecting too? Unnecessary overhead I guess as no personal / confidential data will be transferred when a user is not logged in. Just don't want the overhead of SSL when users are just browsing around the site. Quote Link to comment Share on other sites More sharing options...
requinix Posted January 23, 2013 Share Posted January 23, 2013 (edited) With a decent server SSL for everyone shouldn't create any noticeable overhead. Since Apache has no concept of a logged-in user, make your PHP code deal with the redirection. Assuming you have $_SERVER["HTTPS"] if ($_SERVER["REQUEST_METHOD"] == "GET" && $_SERVER["HTTPS"] == "on" && /* not logged in */) { header("Location: http //{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}"); exit; } else if ($_SERVER["REQUEST_METHOD"] == "GET" && $_SERVER["HTTPS"] == "off" && /* logged in */) { header("Location: https //{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}"); exit; } [edit] Add the colons back in [edit 2] Screwy highlighting Edited January 23, 2013 by requinix Quote Link to comment Share on other sites More sharing options...
mds1256 Posted January 28, 2013 Author Share Posted January 28, 2013 Hi Thanks for the above, yes that seems to work. Also the idea of not wanting to have the whole site as https is also to help Google index this as google doesnt index https. Quote Link to comment Share on other sites More sharing options...
kicken Posted January 28, 2013 Share Posted January 28, 2013 Also the idea of not wanting to have the whole site as https is also to help Google index this as google doesnt index https. That is not true. Google indexes https just fine. My site forces the use of SSL for everyone and it exists in google's indexes just fine. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 28, 2013 Share Posted January 28, 2013 If your session id cookie is securely (the point of this thread) set up, it will only be sent by the browser when the request is via the https protocol. So, a visitor that is logged in via https won't appear to be logged in when he makes a http request because the session id cookie won't be sent with the request and you won't know on the server that you should redirect them to the https protocol. You would need to put a flag in the URL (just a ?s that you would test if it isset) that indicates to the logic that it should redirect to the htpps protocol. Once the redirect occurs, the session id cookie would be sent by the browser with the https request and the visitor would be matched up with his session data file. If someone who isn't logged in tried to add the flag to the url, the only result would be to redirect to the https protocol, which should then remove the flag from the url and redirect back to the http protocol. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.