Php check if page is https

Use PHP to Check If Page Was Accessed with Ssl

You should be able to check that $_SERVER[‘HTTPS’] is set, e.g.:

if (empty($_SERVER['HTTPS'])) header('Location: https://mywebserver.com/login.php'); 
exit;
>

How to detect secure connection (https) using PHP?

You could do something like this in your config file rather than editing every script.

// will match /login.php and /checkout.php as examples
$force_ssl = preg_match('/\/(login|checkout)\.php(.+)?/', $_SERVER['REQUEST_URI']);
$using_ssl = (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) ? true : false;

$url = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];

if ($force_ssl && !$using_ssl)  
// redirect to SSL 
header('Location: https://' . $url);

> elseif (!$force_ssl && $using_ssl)  
// redirect back to normal 
header('Location: http://' . $url);

>

Then if your certificate expires, just set $force_ssl to false in your config file and it’ll take care of every script which previously redirected.

Now the question has been clarified, you could create a PHP script like this (code taken from https://stackoverflow.com/a/4741196/654678)

// get and check certificate
$get = stream_context_create(array("ssl" => array("capture_peer_cert" => TRUE)));
$read = stream_socket_client("ssl://www.google.com:443", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $get);
$cert = stream_context_get_params($read);

$valid = ($cert["options"]["ssl"]["peer_certificate"] != NULL) ? true : false;

// save validity in database or somewhere else accessible

Then set up a crontab, or daily task or whatever to hit that PHP script daily. If there is no certificate, it’ll return NULL and be marked as invalid. Check the validity with your script and you’re good to go.

How to check if website is secure using PHP

If you access a web page via https the browser encodes you request with SSL.
If you access a web page via http it is not encoded.
The certificate is just the proof for the user that the encoding is safe. The variable $_SERVER[‘HTTPS’] just says whether the user accessed the page via https or http.

How to find out if you’re using HTTPS without $_SERVER[‘HTTPS’]

This should always work even when $_SERVER[‘HTTPS’] is undefined:

function isSecure() return 
(!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') 
|| $_SERVER['SERVER_PORT'] == 443;
>

The code is compatible with IIS.

From the PHP.net documentation and user comments :

1. Set to a non-empty value if the script was queried through the HTTPS protocol.
2. Note that when using ISAPI with IIS, the value will be «off» if the request was not made through the HTTPS protocol. (Same behaviour has been reported for IIS7 running PHP as a Fast-CGI application).

Also, Apache 1.x servers (and broken installations) might not have $_SERVER[‘HTTPS’] defined even if connecting securely. Although not guaranteed, connections on port 443 are, by convention, likely using secure sockets, hence the additional port check.

Additional note: if there is a load balancer between the client and your server, this code doesn’t test the connection between the client and the load balancer, but the connection between the load balancer and your server. To test the former connection, you would have to test using the HTTP_X_FORWARDED_PROTO header, but it’s much more complex to do; see latest comments below this answer.

Check if a website is using SSL using CURL

I think using cURL is an overkill but anyways here you go.

function ignoreHeader( $curl, $headerStr ) return strlen( $headerStr );
>

$curl = curl_init( "https://example.com/" );
curl_setopt( $curl, CURLOPT_NOBODY, TRUE );
curl_setopt( $curl, CURL_HEADERFUNCTION, 'ignoreHeader' );
curl_exec( $curl );

$result = false;
if ( curl_errno($curl) == 0 ) $info = curl_getinfo( $curl ); 
if ( $info['http_code'] == 200 ) $result = true; 
>
>
?>

PHP — without cURL

If you want to check if a website has an SSL certificate. You can just open a stream and check for SSL certificate parameter.

// Create a stream context
$stream = stream_context_create ( array( "ssl" => array( "capture_peer_cert" => true ) ) );

// Bind the resource 'https://www.example.com' to $stream
$read = fopen( "https://www.example.com", "rb", false, $stream );

// Get stream parameters
$params = stream_context_get_params( $read );

// Check that SSL certificate is not null
// $cert should be for example "resource(4) of type (OpenSSL X.509)" 
$cert = $params["options"]["ssl"]["peer_certificate"];
$result = ( !is_null( $cert ) ) ? true : false;
?>

If you want to check if a host accepts a connection on 443 port, you can use fsockopen to initiate a socket connection with the host.

// Set host and port. 
$host = 'example.com';
$port = 443;

// Initiate a socket connection with 'example.com' and check the result. 
$fp = fsockopen('ssl://'. $host, $port, $errno, $errstr, 30);
$result = ( !is_null( $fp ) ) ? true : false;
?>

How to find out SSL certificate is installed on a server? (Using PHP)

You can check the $_SERVER[‘HTTPS’] variable.

PHP redirect to HTTPS if page is

//force the page to use ssl 
if ($_SERVER["SERVER_PORT"] != 443) $redir = "Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; 
header($redir); 
exit();
>

$_SERVER, It is an array containing information such as headers, paths, and script locations.

Detecting SSL With PHP

$_SERVER[‘HTTPS’]

Set to a non-empty value if the script was queried through the HTTPS protocol.

Note: Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.

http://www.php.net/manual/en/reserved.variables.server.php

if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') // SSL connection
>

How can I prevent access to PHP files if the caller isn’t using HTTPS?

Slightly off topic, but if you’re using PHP with Apache Httpd and mod_ssl , you can force SSL access to files (and PHP scripts) by placing the SSLRequireSSL directive in .htaccess or in the Directory configuration.

Источник

Check if the page called from HTTP or HTTPS in PHP

We often find websites which may contain HTTP or HTTPS protocol. These indicate if a website is sucure or not with SSL. Now, in this article, we are going to learn how to check if the web page called from HTTP or HTTPS in PHP.

It may often be needed to detect if the page request is HTTPS or not to perform task relate to web security. So we are going to learn how to detect if the request is HTTPS or not.

To do this task we are going to check the PHP $_SERVER global variable. You can learn about this global variable from the official PHP website. This variable has the information which we can use to determine if the page is secure with HTTPS or not.

Below is our PHP code to detect if the page has HTTP or HTTPS:

So what we did in our above code?

We have checked if the page is not secure with HTTPS or by checking $_SERVER[‘HTTPS’] and $_SERVER[‘SERVER_PORT’]. In our, if else statement, we have checked if $_SERVER[‘HTTPS’] is empty and it is off or $_SERVER[‘SERVER_PORT’] is not equal to 443.

Now let me tell you what we did in general.

If our web page called via HTTP, we are redirecting to our secure HTTPS version of the site using the PHP header redirection. Otherwise, we do nothing if the page already called from HTTPS.

Now you can also perform the above code and modify it as your requirement. You can do whatever you want if the page called from HTTP or HTTPS just by putting your own code in the if else statement.

Источник

Use PHP to check if page was accessed with SSL

You should be able to check that $_SERVER[‘HTTPS’] is set, e.g.:

Solution 2

Be careful. On my IIS server, $_SERVER[‘HTTPS’] is not empty but has the value ‘off’.

if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') < // no SSL request >

Solution 3

You’ll find this may not work if you are working over forwarded protocols. For example, Amazon’s ELB can handle SSL negotiation and interact with your app servers over port 80.

Solution 4

Well, Here is another chunk of code. The code will return full url with https/http.

 else < return false; >> /** * Example Use */ define('APP_URL', (isSecure() ? 'https' : 'http') . "://".str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME'])); echo APP_URL; /** * +++++++++++++++++++++++++ * OR - One line Code * +++++++++++++++++++++++++ */ define('APP_URL', ((( ! empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || ( ! empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') || ( ! empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') || (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443) || (isset($_SERVER['HTTP_X_FORWARDED_PORT']) && $_SERVER['HTTP_X_FORWARDED_PORT'] == 443) || (isset($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https') ) ? 'https' : 'http') . "://".str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME'])); echo APP_URL; ?> 

Solution 5

Another method is to check for the existence of HTTPS cookies. First your server needs to send the browser a cookie with the secure flag:

Set-Cookie:some_key=some_value;secure 

After your server has sent the browser the cookie, whenever the browser requests a page from your server, it will send along the secure cookie some_key=some_value only if it is requesting a HTTPS page. This means that if you see the existence of the cookie some_key=some_value you know that the browser is requesting a HTTPS page. Voila!

Browser support is very good, as this is fundamental to security. Browsers without support for HTTPS cookies are Firesheepable when users request pages from non-HSTSed domains.

Источник

Use PHP to check if page was accessed with SSL

You should be able to check that $_SERVER[‘HTTPS’] is set, e.g.:

Solution 2

Be careful. On my IIS server, $_SERVER[‘HTTPS’] is not empty but has the value ‘off’.

if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') < // no SSL request >

Solution 3

You’ll find this may not work if you are working over forwarded protocols. For example, Amazon’s ELB can handle SSL negotiation and interact with your app servers over port 80.

Solution 4

Well, Here is another chunk of code. The code will return full url with https/http.

 else < return false; >> /** * Example Use */ define('APP_URL', (isSecure() ? 'https' : 'http') . "://".str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME'])); echo APP_URL; /** * +++++++++++++++++++++++++ * OR - One line Code * +++++++++++++++++++++++++ */ define('APP_URL', ((( ! empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || ( ! empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') || ( ! empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') || (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443) || (isset($_SERVER['HTTP_X_FORWARDED_PORT']) && $_SERVER['HTTP_X_FORWARDED_PORT'] == 443) || (isset($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https') ) ? 'https' : 'http') . "://".str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME'])); echo APP_URL; ?> 

Solution 5

Another method is to check for the existence of HTTPS cookies. First your server needs to send the browser a cookie with the secure flag:

Set-Cookie:some_key=some_value;secure 

After your server has sent the browser the cookie, whenever the browser requests a page from your server, it will send along the secure cookie some_key=some_value only if it is requesting a HTTPS page. This means that if you see the existence of the cookie some_key=some_value you know that the browser is requesting a HTTPS page. Voila!

Browser support is very good, as this is fundamental to security. Browsers without support for HTTPS cookies are Firesheepable when users request pages from non-HSTSed domains.

Источник