The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 17, 2019, 05:39:40 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: Switching between HTTP and HTTPS dynamically  (Read 2726 times)
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« on: May 13, 2009, 08:35:15 PM »

I can't believe I haven't thought of this before. Perhaps others have dealt with this before, but I've never applied any thinking to it though it pisses me off.
I have sites where I need to switch into and out of HTTPS (checkout, maintain my account etc etc). It's always a pain in the butt.

Tonight I started doing it a different way and it just rocks. The first step is to know which pages on your site you want HTTPS. All my URLs undergo a translation process, so "checkoutPage.html" will actually be more like "/checkoutPage.php?menu=admin.checkout&cached=false" - I added "requires_https=1" to the end of all page translations that should be secure. (Note that the surfer never sees these translations, they are purely for my system and internal).

The next step is to simply see what protocol the current page wants, and if I'm not in the right one, bounce the user the to the same page on the opposite protocol. Here's the code:

Code:
<?php

if ($_GET['requires_https'])
{
// This page needs to be secure
if (!$_SERVER['HTTPS'])
{
header("Location: https://{$_SERVER['SERVER_NAME']}{$_SERVER['REQUEST_URI']}");
exit;
}
} else {
// This page should not be secure
if ($_SERVER['HTTPS'])
{
header("Location: http://{$_SERVER['SERVER_NAME']}{$_SERVER['REQUEST_URI']}");
exit;
}
}


?>


That's it! Now the protocol for a particular page is bound TO that page, and the entire rest of the site could give a damn - the rest of the site can still point to /anotherPage.html exactly as they always have, and if /anotherPage.html suddenly wants to be secure, it can take care of itself. Note that you can make any criteria the reason for switching - you could have a little array of secure pages and simply say,

if in_array($securePages, $_SERVER['REQUEST_URI']

and do the same thing without my translation process.

That's worth quitting and a glass of wine for.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #1 on: May 13, 2009, 09:42:21 PM »

lol perk. good solution, make it better Smiley

I have handled this two ways.

1, which the most direct, but requires page level access, and each page to actually exist. Just in the head I put a call to a function. requireshttps("yes") or no.
2, which is better for non-existent pages, like you are probably doing. I have a file with a list of https urls, or parts, and store it in a server array. check every page load.

the other way, which I have not done but should be pretty good, is mod-rewrite. You could establish a pattern in URL names that if found by mod-rewrite, would force HTTPS. And vice versa of course. or you could do a list of URLs in the rewrites if you cant change the URLs because its an existing system. though I doubt it, since these are checkout pages i assume.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #2 on: May 13, 2009, 11:31:53 PM »

@ 1 - the page level and page specific stuff is what's always bugged me. Even moreso when ALL pages need to know what the deal is (this page is not secure, neither is that one, but that one is...) - it means that every page needs to be configured (at least the way I've done it). I wanted a fix where I could affect the smallest number of pages and the fix was specifically applicable to them, and in an object-abstraction/encapsulation way, a caller never needs to know the protocol requirements of the destination. I used to do it *something* like this by placing the instructions into the page array and then doing one big string replacement on the output before I dispatched it. It worked, but was pretty ugly.

@ 2 - yes you're right mod_rewrite could do it as well, hadn't really thought that angle. I might have a few years ago when I had more of a crush on mod_rewrite - now though, since all calls move into a single script for every page of a site, I am more inclined to think at that trap point.

Also, I think clearly with the $_GET mechanism I've outlined because my translator essentially takes spider friendly URLs and converts them to function calls - that's the way I see a web page, a function call. GET params are just parameters to the function. So thinking from the perspective that requires_https is an optional parameter that defaults to false unless I set it true really speaks to me.

@ page types - checkout yes, but my account management stuff is all https as well. So the programmatic path is very chaotic - from adjusting my address book to re-viewing a gallery, back to adding an address, checkout, shipping options, checkout. It's not linear at all, which has always been some of the trouble as well.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #3 on: May 14, 2009, 08:46:54 AM »

ah, got it. yea, because of your single point of code access, your thinking more at that point.
I often had to use 1 or two because I am retrofiting old stuff, or hand off to an internal team.
I also stay away from putting stuff in mod-rewrites because of code separation. Its the same reason I am hesitant to move stuff to stored procs.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #4 on: May 14, 2009, 09:28:08 AM »

Totally get it @ stored procs. It's a commitment, because you're right - you've got code in at least 2 places now, and if you throw a bunch out to the client it's even worse. That is my life ATM - at least since I've almost entirely done away with traditional HTML and am going to a much more dynamic CSS style layout, I'm down to 4 concurrent languages/syntaxes: client work (JS) client layout (CSS) server work (PHP) DB work (stored procs). Sometimes it's just a head spin to figure out "who's got the ball" LOL
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!