Geek Answers Handbook

Detect SSL when the proxy * always * claims a secure connection

I want to determine if the user is browsing a protected page and redirects if not (to log in).

However, my site is navigating through a proxy server before I see that the server and proxy variables (right now) tell me that $_SERVER['HTTPS'] is 'on' when the URI clearly points to something else. It also shows 'on' when the user navigates “safely”.

Moving between http:// and https:// leads to the conclusion that $_SERVER['SERVER_PORT'] = 443 .

I have no way to make changes to the proxy server, so I want to know:

  • Does PHP have any other options for discovering the truth or ...
  • I stuck with JavaScript mechanisms for detection and redirection.

I have earned this question for ideas, but they mostly revolve around the $_SERVER['HTTPS'] variable, which is trustworthy. Bah!

It seems that this question is experiencing at least something similar, but he / she was able to solve it by adapting the apache solution.

Are there any other PHP SERVER variables or tricks to detect where the user URI begins? The only difference between the $ _SERVER variables when viewing my http site versus https:

  • _FCGI_X_PIPE_ (displayed randomly)
  • HTTP_COOKIE (sto-id-47873 is included in the insecure version, but I didn’t ) there
  • REMOTE_ADDR (This and the next two continue to change inexplicably!)
  • REMOTE_HOST
  • REMOTE_PORT ('proxy people', why are you constantly changing this?)

Are any of these elements strong enough to put on one weight without breaking it down and causing pain later? Perhaps I should not trust anything filtered through a proxy server, as it can change at any given time.

Here is my plan to use JavaScript for this purpose; is this the best i have?

 function confirmSSL() { if(location.protocol != "https:") { var locale = location.href; locale = locale.replace(/http:\/\//,"https://"); location.replace(locale); } } <body onLoad="confirmSSL()">...

I think if a user has disabled JavaScript in my community, then they hopefully know what they are doing. They must be able to manually enter the safe area. What <noscript> sentences would be common practice? Something like this, maybe ?:

<noscript> Go through https: //blah.more.egg/fake to protect your information. </noscript>

PHP solutions that work (with a good explanation) will give preference to the correct answer. Feel free to submit a better JavaScript implementation or link to it.

Many thanks!

+6
source share
3 answers

Although this is already partially discussed in the comments on the question, I will summarize some suggestions regarding the redirect logic in JavaScript:

  • It is recommended to use window.location instead of location , here you can find a description.
  • Regex seems a little redundant for a simple protocol change.
  • Redirection logic should be executed as soon as possible, because in the case of redirection, each additional processing of the document is not required.
  • Browsers with JavaScript disabled should at least show a notification prompting the user to switch to https.

I suggest using the following code (adopted from here ), which is short and efficient:

 <head> <script type="text/javascript"> if (window.location.protocol != "https:") { window.location.href = "https:" + window.location.href.substring(window.location.protocol.length); } </script> ... </head> <body> ... <noscript>Please click <a href="https://my-cool-secure-site.com">here</a> to use a secure connection!</noscript> ...
+3
source

Just use the client approach. If your proxy server is not configured, this option is missing. Detecting and redirecting through js is fine.

+1
source

There is also a way to achieve redirection without javascript on the client side. This method can be especially useful if JavaScript is disabled in the client browser.
The steps are pure PHP and quite simple:

  • Start session
  • If this is a new session, redirect to https location
  • If the session is not new, it can be assumed that the user has been redirected

Code example:

 <?php session_start(); if( !isset($_SESSION['runningOnHttps']) ) { $_SESSION['runningOnHttps'] = true; header('Location: https://my-cool-secure-site.com'); } ?>

Naturally, you can limit this functionality to those browsers with JavaScript turned off to create a kind of “hybrid mode”: whenever there is a new session with a non-JS browser, make a request for some script callback that notifies the server about sending location header:

some_landingpage.php sends the initial <noscript> containing a hidden iframe that redirect.php will load:

 if( !isset($_SESSION['checkWasMade']) ) { $_SESSION['checkWasMade'] = true; echo '<noscript> <iframe src="redirect.php" style="visibility: hidden; position: absolute; left: -9000px;"></iframe> </noscript>'; }

The redirect.php request will let you know that JavaScript is disabled and gives you the ability to force redirects by sending the Location header (see above) with the following actual request.

Of course, this method will only work reliably if the protocol does not change (magically?) In one session.

UPDATE:
The entire aforementioned method of processing user agents that are not related to JavaScript can be considered using an even more accurate approach:
I just found out that <noscript> can also be included inside <head> , which allows you to simply redirect through <meta> tags.

Therefore, some_landingpage.php can send the initial meta update inside <noscript> :

 // The following echo must appear inside the html head if( !isset($_SESSION['checkWasMade']) ) { $_SESSION['checkWasMade'] = true; echo '<noscript> <meta HTTP-EQUIV="REFRESH" content="0; url=https://my-cool-secure-site.com"> </noscript>'; }
+1
source

More articles:


All Articles