how to redirect page to https in php?

Question

i have a login form:

<form method =POST action="/login.php">
...
</form>

i would like the login.php page to redirect to using https.

i don't want to send the user to https://.../login.php because they might change the link. but i want to do a redirect on the server side before i parse the login form data and log the user in.

i found and example:

if($_SERVER["HTTPS"] != "on") {
   header("HTTP/1.1 301 Moved Permanently");
   header("Location: "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
   exit();
}

but i don't have $_SERVER["HTTPS"] if i var_dump($_SERVER);

i do have $_SERVER['SERVER_PORT'] witch is 80.

any ideas?

Thanks

Answer 1

If you allow them to post to /login.php over plain HTTP and then redirect to HTTPS, you defeat the purpose of using HTTPS because the login information has already been sent in plain text over the internet.

What you could do to prevent the user from changing the URL, is make it so the login page rejects the login if it is not over HTTPS.

What I use to check for the use of HTTPS is the following:

if (!isset($_SERVER['HTTPS']) || !$_SERVER['HTTPS']) {
    // request is not using SSL, redirect to https, or fail
}

If you are running your secure server on the default port of 443, then you can also check to see if that is the port, but PHP sets the $_SERVER['HTTPS'] value to non-empty if SSL is used so I would check for the presence of that for best practice.

EDIT:

If the user is so included to manually change the https to http and want to send their information over plain text, there isn't anything you can do to stop them, but if you disallow login over HTTP, so even the correct information will not log them in, you can force them to use https by making it the only thing that works.

Answer 2

Whatever page you use to display your login form should already be using https:// before the form is filled out, and then it should be submitted to another https:// address. Otherwise, you'll leave the form open to attack.

You could look into mod_rewrite to automatically redirect any request using http:// to https://, at least for your login page.

Answer 3

if($requireSSL && $_SERVER['SERVER_PORT'] != 443) {
    header("HTTP/1.1 301 Moved Permanently");
    header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
    exit();
}

Answer 4

Assuming that your page with the login form is generated by index.php, you need to put the example code for HTTP to HTTPS redirection in index.php. This will ensure that when the user fills up the form and submits it, it is submitted to /login.php via HTTPS and not HTTP.

Putting this check inside login.php is futile because by the time login.php gets the request and tries to redirect to the corresponding HTTPS URL, well, the credentials have already been submitted to it as plaintext which is what you should want to avoid.

The observation that you see $_SERVER['SERVER_PORT'] to be 80 and $_SERVER["HTTPS"] to be not set when you put the check inside login.php is a further proof of the fact that login credentials are being submitted to it via HTTP and thus the login credentials are reaching your server from the client unencrypted. This has to be avoided by following what I said in the first paragraph of this response.

BTW, I wouldn't use PHP to do this sort of redirection. Such redirections are very conveniently handled by mod_rewrite in Apache HTTPD.

An example, assuming that your login page is available at the URL, http://example.com/foo/:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^foo/$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]