How to find out if you're using HTTPS without $_SERVER['HTTPS']
This should always work even when $_SERVER['HTTPS']
is undefined:
function isSecure() {
return
(!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
|| $_SERVER['SERVER_PORT'] == 443;
}
The code is compatible with IIS.
From the PHP.net documentation and user comments :
Set to a non-empty value if the script was queried through the HTTPS protocol.
Note that when using ISAPI with IIS, the value will be "off" if the request was not made through the HTTPS protocol. (Same behaviour has been reported for IIS7 running PHP as a Fast-CGI application).
Also, Apache 1.x servers (and broken installations) might not have $_SERVER['HTTPS']
defined even if connecting securely. Although not guaranteed, connections on port 443 are, by convention, likely using secure sockets, hence the additional port check.
Additional note: if there is a load balancer between the client and your server, this code doesn't test the connection between the client and the load balancer, but the connection between the load balancer and your server. To test the former connection, you would have to test using the HTTP_X_FORWARDED_PROTO
header, but it's much more complex to do; see latest comments below this answer.
Detecting SSL With PHP
$_SERVER['HTTPS']
Set to a non-empty value if the script was queried through the HTTPS protocol.
Note: Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.http://www.php.net/manual/en/reserved.variables.server.php
Ergo, this'll do:
if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
// SSL connection
}
Use PHP to check if page was accessed with SSL
You should be able to check that $_SERVER['HTTPS']
is set, e.g.:
if (empty($_SERVER['HTTPS'])) {
header('Location: https://mywebserver.com/login.php');
exit;
}
Confusion about usage of $_SERVER['HTTPS']
Documentation sais:
Set to a non-empty value if the script was queried through the HTTPS protocol.
It is only set, if called via https.
'off' is only used on IIS.
Why isn't _SERVER[HTTPS] set to 1?
It turns out that because of the Load Balancer, which handles the SSL encryption/decryption the Web Server doesn't get $_SERVER["HTTPS"], but $_SERVER["HTTP_USESSL"] is set and can be used as a flash for SSL traffic.
Related Topics
PHP - How to Create a Newline Character
How to Set Order by Params Using Prepared Pdo Statement
How to Stop People Hacking the PHP-Based Highscore Table of a Flash Game
Where Do We Use the Object Operator "-≫" in PHP
How to Query Between Two Dates Using Laravel and Eloquent
Remove All Attributes from HTML Tags
Best Way to Parse Rss/Atom Feeds With PHP
How to Write SQL For a Table That Shares the Same Name as a Protected Keyword in MySQL
Max Size of Url Parameters in _Get
Upgrading My Encryption Library from Mcrypt to Openssl
How to Fix Error: Laravel.Log Could Not Be Opened
Laravel: Syntax Error or Access Violation: 1055 Error
Finding N-Th Permutation Without Computing Others