Use PHP to Check If Page Was Accessed with Ssl

Use PHP to check if page was accessed with SSL

You should be able to check that $_SERVER['HTTPS'] is set, e.g.:

if (empty($_SERVER['HTTPS'])) {
    header('Location: https://mywebserver.com/login.php');
    exit;
}

How to detect secure connection (https) using PHP?

You could do something like this in your config file rather than editing every script.

<?php

// will match /login.php and /checkout.php as examples
$force_ssl = preg_match('/\/(login|checkout)\.php(.+)?/', $_SERVER['REQUEST_URI']);
$using_ssl = (isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) ? true : false;

$url = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];

if ($force_ssl && !$using_ssl) {

    // redirect to SSL
    header('Location: https://' . $url);

} elseif (!$force_ssl && $using_ssl) {

    // redirect back to normal
    header('Location: http://' . $url);

}

Then if your certificate expires, just set $force_ssl to false in your config file and it'll take care of every script which previously redirected.

---

Now the question has been clarified, you could create a PHP script like this (code taken from https://stackoverflow.com/a/4741196/654678)

<?php

// get and check certificate
$get = stream_context_create(array("ssl" => array("capture_peer_cert" => TRUE)));
$read = stream_socket_client("ssl://www.google.com:443", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $get);
$cert = stream_context_get_params($read);

$valid = ($cert["options"]["ssl"]["peer_certificate"] != NULL) ? true : false;

// save validity in database or somewhere else accessible

Then set up a crontab, or daily task or whatever to hit that PHP script daily. If there is no certificate, it'll return NULL and be marked as invalid. Check the validity with your script and you're good to go.

How to check if website is secure using PHP

If you access a web page via https the browser encodes you request with SSL.
If you access a web page via http it is not encoded.
The certificate is just the proof for the user that the encoding is safe. The variable $_SERVER['HTTPS'] just says whether the user accessed the page via https or http.

How to find out if you're using HTTPS without $_SERVER['HTTPS']

This should always work even when $_SERVER['HTTPS'] is undefined:

function isSecure() {
  return
    (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
    || $_SERVER['SERVER_PORT'] == 443;
}

The code is compatible with IIS.

From the PHP.net documentation and user comments :

1. Set to a non-empty value if the script was queried through the HTTPS protocol.

2. Note that when using ISAPI with IIS, the value will be "off" if the request was not made through the HTTPS protocol. (Same behaviour has been reported for IIS7 running PHP as a Fast-CGI application).

Also, Apache 1.x servers (and broken installations) might not have $_SERVER['HTTPS'] defined even if connecting securely. Although not guaranteed, connections on port 443 are, by convention, likely using secure sockets, hence the additional port check.

Additional note: if there is a load balancer between the client and your server, this code doesn't test the connection between the client and the load balancer, but the connection between the load balancer and your server. To test the former connection, you would have to test using the HTTP_X_FORWARDED_PROTO header, but it's much more complex to do; see latest comments below this answer.

Check if a website is using SSL using CURL

PHP - cURL

I think using cURL is an overkill but anyways here you go.

<?php
function ignoreHeader( $curl, $headerStr ) {
  return strlen( $headerStr );
}

$curl = curl_init( "https://example.com/" );
curl_setopt( $curl, CURLOPT_NOBODY, TRUE );
curl_setopt( $curl, CURL_HEADERFUNCTION, 'ignoreHeader' );
curl_exec( $curl );

$result = false;
if ( curl_errno($curl) == 0 ) {
  $info = curl_getinfo( $curl );
  if ( $info['http_code'] == 200 ) {
    $result = true;
  }
}
?>

PHP - without cURL

If you want to check if a website has an SSL certificate. You can just open a stream and check for SSL certificate parameter.

<?php
// Create a stream context
$stream = stream_context_create ( array( "ssl" => array( "capture_peer_cert" => true ) ) );

// Bind the resource 'https://www.example.com' to $stream
$read   = fopen( "https://www.example.com", "rb", false, $stream );

// Get stream parameters
$params  = stream_context_get_params( $read );

// Check that SSL certificate is not null
// $cert should be for example "resource(4) of type (OpenSSL X.509)" 
$cert   = $params["options"]["ssl"]["peer_certificate"];
$result = ( !is_null( $cert ) ) ? true : false;
?>

If you want to check if a host accepts a connection on 443 port, you can use fsockopen to initiate a socket connection with the host.

<?php
// Set host and port. 
$host   = 'example.com';
$port   = 443;

// Initiate a socket connection with 'example.com' and check the result. 
$fp     = fsockopen('ssl://'. $host, $port, $errno, $errstr, 30);
$result = ( !is_null( $fp ) ) ? true : false;
?>

How to find out SSL certificate is installed on a server? (Using PHP)

You can check the $_SERVER['HTTPS'] variable.

PHP redirect to HTTPS if page is

Here You go.

//force the page to use ssl 
if ($_SERVER["SERVER_PORT"] != 443) {
    $redir = "Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
    header($redir);
    exit();
}

$_SERVER, It is an array containing information such as headers, paths, and script locations.

Detecting SSL With PHP

$_SERVER['HTTPS']

Set to a non-empty value if the script was queried through the HTTPS protocol.

Note: Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.

http://www.php.net/manual/en/reserved.variables.server.php

Ergo, this'll do:

if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
    // SSL connection
}

How can I prevent access to PHP files if the caller isn't using HTTPS?

Slightly off topic, but if you're using PHP with Apache Httpd and mod_ssl, you can force SSL access to files (and PHP scripts) by placing the SSLRequireSSL directive in .htaccess or in the Directory configuration.

---

Related Topics