Check if using HTTPS

Question

Dani 4,310 The Queen of DaniWeb

10 Years Ago

Is the check:

if (!isset($_SERVER['HTTPS']) OR empty($_SERVER['HTTPS']))
{
    // We are NOT using SSL
}

a fool-proof way of checking if we are NOT using SSL with PHP/Apache?

I understand that IIS sets to 'on/off' but that's irrelevant for me. I am just wondering if I additionally need to check for port 443, etc.

apache cybersecurity http-protocol php

6 Contributors
7 Replies
306 Views
1 Day Discussion Span
Latest Post 9 Years Ago Latest Post by lorenzoDAlipio

ryantroop 177 Practically a Master Poster

10 Years Ago

The server super global should also have the port number for the request, $_SERVER["SERVER_PORT"], but the way you are checking is the only way I can think of on the receiving end of a request.

You can always htaccess it up and force all connections over https :/ but I'm guessing that won't really solve your problem.

Edit: I think the value for $_SERVER["HTTPS"] will be a 1 or 0

Edited 10 Years Ago by ryantroop

veedeoo 474 Junior Poster

9 Years Ago

You are doing fine I think. On the other hand, 443 is normally the default Virtual SSL host as defined in httpd-ssl.conf

<VirtualHost _default_:443>

the same port number is use by default in global SSL port to listen to. common in all apache..

#################### Global SSL ##########################
 Listen 443 https

So, if we run this on a page located in the public ssl directory,

if($_SERVER['SERVER_PORT'] !==443){
  echo " We are NOT using SSL";
}

it can provide additional confirmation in checking if using SSL.

if (!isset($_SERVER['HTTPS']) OR empty($_SERVER['HTTPS']) OR ($_SERVER['SERVER_PORT'] !==443)){

     // We are NOT using SSL

}

that will give us the tertiary check point.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Dani 4,310 The Queen of DaniWeb Administrator Featured Poster Premium Member · Answer 1 · 2014-11-02T03:36:46+00:00

You can always htaccess it up and force all connections over https :/ but I'm guessing that won't really solve your problem.

Yeah, that's not really what I'm looking to do. I know I should also have access to SERVER_PORT but not sure if that's necesary to check. My guess is what I'm currently doing should be fine.

jstfsklh211 79 Light Poster · Answer 2 · 2014-11-03T15:24:10+00:00

if (!isset($_SERVER['HTTPS']) OR empty($_SERVER['HTTPS'])

isn't that redundant
doesn't empty() check isset()
why have both

Dani 4,310 The Queen of DaniWeb Administrator Featured Poster Premium Member · Answer 3 · 2014-11-03T15:31:40+00:00

No, empty just checks if the value of the variable is false, empty string, empty array, etc. It does not check if the variable exists at all. Not making sure it exists before checking its value will lead to throwing a PHP notice.

diafol · Answer 4 · 2014-11-03T15:36:59+00:00

isn't that redundant
doesn't empty() check isset()
why have both

No, seems sensible. If it's not set, it's not set - fine. But it could be set and be empty, which is also something that we don't want. Maybe I missed something.

To break it down...

The variable is not set (!isset) - this is a sensible starter to the consitional statement since a check for 'empty' on a variable that doesn't exist would throw an error.

An alternative of isset($var) AND !empty($var) AND ($var2 == $somevalue) could also be used for the opposite.

lorenzoDAlipio 24 Junior Poster in Training · Answer 5 · 2014-11-03T16:06:15+00:00

I totally agree with the Moderator and the Administrator. Item can be set and it can also be empty.

$test = '';

    if(isset($test)){

        echo 'Test is set and is empty';

        }