Switching between HTTP and HTTPS

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
dogensan
Forum Newbie
Posts: 4
Joined: Wed Nov 15, 2006 9:08 pm

Switching between HTTP and HTTPS

Post by dogensan »

Hi there,

First the mandatory disclaimer - yes I have been through the previous posts and researched quite a bit on this, but to no complete avail thus far, hopefully somebody here can point me in the right direction - what I've read so far has been very helpful.


I'm in the process of setting up an online store.

At the point of taking the order details from the customer (name, address etc), I hard code a link to the orderform

(ie. <a href="https://www.sitename.com/orderform.php)

Thus switching from HTTP to HTTPS. This is easy to ensure with my host, as they have it set up so that any files in the httpsdocs folder are only available when the address is https://etc, .. so ensuring HTTPS is not an issue.

The issue I am having is that once https://www.sitename.com/orderform.php has loaded, all my links change to reflect https://etc. ie. links back to the home page, links to orderfrom2

Now of course want orderpage2.php and any subsequent order pages to remain in HTTPS mode, however if the user backs out of the order by clicking on the HOME page, they will now be looking at the home page under HTTPS not HTTP.

It has been suggested that I hard code all the links, so that once in the order form links back to the home page will be hard coded, <a href="http://www.sitename.com/homepage.php etc

A couple of problems with this -
1. defelopment/testing on my locally hosted server very difficult as I won't be able to test on anything but the live page.

2. I use a template that is universal for everypage of the site... If I place a code that changes out from HTTPS to HTTP... it also needs to work as a regular link when someone is viewing the site and goes from HTTP to HTTP.

I hope I have explained this properly.

And many many thanks in advance for any advice, even links to tutorials/further reading, whatever it might be.

cheers,
Dogen
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

This is easily accomplished using a front controller, where all actions are directed to a single application entry point. At this point you can control whether or not the http request was made in https.

Another method could be to create a function, which all your files in that secured folder call. Ie.

Code: Select all

function checkHttpsRequest()
{
    if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'ON')
    {
      exit('File must be accessed securely');
    }
}
and at the top of every page simply call this function
dogensan
Forum Newbie
Posts: 4
Joined: Wed Nov 15, 2006 9:08 pm

Post by dogensan »

Thanks for the response Jcart, but my issue is not ensuring that users are browing a page in HTTPS, rather how do I get them to switch back to HTTP once they have entered into HTTPS?

Will it be a problem if every now and again - someone enters the order page, initiates a HTTPS connection, then exits out to the home page and continues to browse the non secure pages on my site via a secure HTTPS connection? Will this place undue strain on the serve?

Cheers
Dogen.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

hardcode the url's if you can

<a href="http://domain.com/somepage"> versus <a href="/somepage">
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

dogensan wrote:Thanks for the response Jcart, but my issue is not ensuring that users are browing a page in HTTPS, rather how do I get them to switch back to HTTP once they have entered into HTTPS?
Just as Jcart suggested, only adapt it to your problem:

Code: Select all

function checkHttpsRequest()
{
    if (isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'ON')
    {
        header("Location: http://www.somesite.com" . $_SERVER['REQUEST_URI']);
        exit()
    }
}
dogensan
Forum Newbie
Posts: 4
Joined: Wed Nov 15, 2006 9:08 pm

Post by dogensan »

Excellent, Thanks for the help guys!
Post Reply