Menu
i have a login form:
<form method =POST action="/login.php">
...
</form>
i would like the login.php page to redirect to using https.
i don't want to send the user to https://.../login.php because they might change the link. but i want to do a redirect on the server side before i parse the login form data and log the user in.
i found and example:
if($_SERVER["HTTPS"] != "on") {
header("HTTP/1.1 301 Moved Permanently");
header("Location: "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
exit();
}
but i don't have $_SERVER["HTTPS"] if i var_dump($_SERVER);
i do have $_SERVER['SERVER_PORT'] witch is 80.
any ideas?
Thanks
649
To set a permanent PHP redirect, you can use the status code 301. Because this code indicates an indefinite redirection, the browser automatically redirects the user using the old URL to the new page address.
If you are using the popular Apache Web server, you can easily redirect all traffic from unsecured HTTP to HTTPS. When a visitor goes to your site will be redirected to the secure HTTPS protocol. The server must allow you to use module mod_rewrite, but it's not a problem for most webhosting providers.
If you allow them to post to /login.php over plain HTTP and then redirect to HTTPS, you defeat the purpose of using HTTPS because the login information has already been sent in plain text over the internet.
What you could do to prevent the user from changing the URL, is make it so the login page rejects the login if it is not over HTTPS.
What I use to check for the use of HTTPS is the following:
if (!isset($_SERVER['HTTPS']) || !$_SERVER['HTTPS']) {
// request is not using SSL, redirect to https, or fail
}
If you are running your secure server on the default port of 443, then you can also check to see if that is the port, but PHP sets the $_SERVER['HTTPS'] value to non-empty if SSL is used so I would check for the presence of that for best practice.
EDIT:
If the user is so included to manually change the https to http and want to send their information over plain text, there isn't anything you can do to stop them, but if you disallow login over HTTP, so even the correct information will not log them in, you can force them to use https by making it the only thing that works.
146
Whatever page you use to display your login form should already be using https:// before the form is filled out, and then it should be submitted to another https:// address. Otherwise, you'll leave the form open to attack.
You could look into mod_rewrite to automatically redirect any request using http:// to https://, at least for your login page.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
