PHP Issues with SSL

coxdabd · July 30, 2011, 5:40am

Hi all, I have installed an SSL certificate successfully and all is working, kind of. I only want to you SSL on pages where data entry is required such as the login and basket pages. This bit is working. Problem is that one you are on an SSL page, every other pages then uses SSL instead of going back to just HTTP. Tried putting an else in with a header but then that just says in my browser that there was a problem redirecting. Any help is hugely appreciated

//Force some required pages to use SSL
if(isset($_GET['main_page'])):
	$ssl_pages = array('login', 'basket');
	if(in_array($_GET['main_page'], $ssl_pages) && @$_SERVER['HTTPS']!='on'):
		header('Location: https://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
	endif;
endif;

Dan_Grossman · July 30, 2011, 6:31am

If you just put an “else” on that inner condition, you’ll match all HTTP requests, which means you’ll put users into an infinite redirect loop from the HTTP pages to the same HTTP pages.

if (isset($_GET['main_page'])) {
    $ssl_pages = array('login', 'basket'); 
    if (in_array($_GET['main_page'], $ssl_pages) && @$_SERVER['HTTPS']!='on') {
        header('Location: https://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']); 
    }
} elseif ($_SERVER['HTTPS'] == 'on') {
    header('Location: http://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']); 
}

coxdabd · July 30, 2011, 2:16pm

Hey man, thanks for the reply. So does this mean that I am then stuck in what I can do?

thruska · July 30, 2011, 2:57pm

I don’t know why you want to jump back to HTTP after using HTTPS. The slowest part of HTTPS is the initial connection to the server during the SSL handshake or whenever SSL session renegotiation takes place. Browsers and servers tend to hold SSL connections open longer because they are expensive to set up. But, once set up, there isn’t much noticeable difference between an insecure and secure connection from a performance standpoint - the usual reason someone wants to switch back to HTTP is “performance”, but you’ll drop any active SSL connections in the process thus negating any performance benefits you might temporarily gain when you go to check out later. Also, by switching back to HTTP, you expose to anyone sniffing traffic what the person is putting into their shopping cart or simply viewing for possible purchase.