how to redirect page to https in php?

Patrioticcow picture Patrioticcow · Feb 3, 2012 · Viewed 15.6k times · Source

i have a login form:

<form method =POST action="/login.php">
...
</form>

i would like the login.php page to redirect to using https.

i don't want to send the user to https://.../login.php because they might change the link. but i want to do a redirect on the server side before i parse the login form data and log the user in.

i found and example:

if($_SERVER["HTTPS"] != "on") {
   header("HTTP/1.1 301 Moved Permanently");
   header("Location: "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
   exit();
}

but i don't have $_SERVER["HTTPS"] if i var_dump($_SERVER);

i do have $_SERVER['SERVER_PORT'] witch is 80.

any ideas?

Thanks

Answer

drew010 picture drew010 · Feb 3, 2012

If you allow them to post to /login.php over plain HTTP and then redirect to HTTPS, you defeat the purpose of using HTTPS because the login information has already been sent in plain text over the internet.

What you could do to prevent the user from changing the URL, is make it so the login page rejects the login if it is not over HTTPS.

What I use to check for the use of HTTPS is the following:

if (!isset($_SERVER['HTTPS']) || !$_SERVER['HTTPS']) {
    // request is not using SSL, redirect to https, or fail
}

If you are running your secure server on the default port of 443, then you can also check to see if that is the port, but PHP sets the $_SERVER['HTTPS'] value to non-empty if SSL is used so I would check for the presence of that for best practice.

EDIT:

If the user is so included to manually change the https to http and want to send their information over plain text, there isn't anything you can do to stop them, but if you disallow login over HTTP, so even the correct information will not log them in, you can force them to use https by making it the only thing that works.