Most of my ISP's setup their servers to pull from the same base path for both secure forms and non-secure forms, and I use something similar to below to enforce the right one is being used. One of the benefits of doing this is I can imbed the same images and graphics by using the same business path for them and only changing the protocol (https). Most browsers will complain if you imbed http images in a https form. I think this technique of a form enforcing it's own protocol is more reliable that struggling with different paths imbedded things like images. In fact, if a form is entered using the wrong protocol, I'll issue a redirect to correct things. HTH, Warren Vail > -----Original Message----- > From: Daniel Brown [mailto:parasane@xxxxxxxxx] > Sent: Tuesday, February 26, 2008 9:11 AM > To: tedd > Cc: PHP General list > Subject: Re: checking for and enforcing https > > On Tue, Feb 26, 2008 at 11:54 AM, tedd <tedd.sperling@xxxxxxxxx> wrote: > > At present, I use the actual directories (http/https) to determine if > > the operation of the script is secure or not. > > You also hijack other people's threads. No-no, Tedd! *slaps hand* > > > For scripts that don't collect sensitive date, I physically place in > > the http directory. For scripts that do, I place in the https > > directory. > > Not every server configuration has separate directories for secure > and non-secure differentiation. For example, log into your php1.net > account on my server. > > > That's the hard way, right? > > > > Instead, I could place all my scripts where I want and then add > > > > <?php > > if(!isset($_SERVER['HTTPS']) ) { > > > > $url = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : > > $_SERVER['SERVER_NAME']; > > header("Location: > > https://".$url.$_SERVER['PHP_SELF']."?".$_SERVER['QUERY_STRING']); > > exit; > > } > > ?> > > > > at the beginning of each secure script -- is that correct? > > I would still at least use the port 80/443 example that I provided > as a backup for portability. > > Also, keep in mind that all $_SERVER Superglobals were only > introduced in 4.1.0. Any scripts written before that (and any old > versions of PHP) should be using $HTTP_SERVER_VARS. > > > But the redirect still requires a script to be in the https > > directory, does it not? > > That depends solely on the server configuration. Check with your > sysop. > > -- > </Dan> > > Daniel P. Brown > Senior Unix Geek > <? while(1) { $me = $mind--; sleep(86400); } ?> > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
