0

Is the check:

if (!isset($_SERVER['HTTPS']) OR empty($_SERVER['HTTPS']))
{
    // We are NOT using SSL
}

a fool-proof way of checking if we are NOT using SSL with PHP/Apache?

I understand that IIS sets to 'on/off' but that's irrelevant for me. I am just wondering if I additionally need to check for port 443, etc.

6
Contributors
7
Replies
63
Views
2 Years
Discussion Span
Last Post by lorenzoDAlipio
0

The server super global should also have the port number for the request, $_SERVER["SERVER_PORT"], but the way you are checking is the only way I can think of on the receiving end of a request.

You can always htaccess it up and force all connections over https :/ but I'm guessing that won't really solve your problem.

Edit: I think the value for $_SERVER["HTTPS"] will be a 1 or 0

Edited by ryantroop

0

You can always htaccess it up and force all connections over https :/ but I'm guessing that won't really solve your problem.

Yeah, that's not really what I'm looking to do. I know I should also have access to SERVER_PORT but not sure if that's necesary to check. My guess is what I'm currently doing should be fine.

1

You are doing fine I think. On the other hand, 443 is normally the default Virtual SSL host as defined in httpd-ssl.conf

<VirtualHost _default_:443>

the same port number is use by default in global SSL port to listen to. common in all apache..

#################### Global SSL ##########################
 Listen 443 https

So, if we run this on a page located in the public ssl directory,

if($_SERVER['SERVER_PORT'] !==443){
  echo " We are NOT using SSL";
}

it can provide additional confirmation in checking if using SSL.

if (!isset($_SERVER['HTTPS']) OR empty($_SERVER['HTTPS']) OR ($_SERVER['SERVER_PORT'] !==443)){

     // We are NOT using SSL

}     

that will give us the tertiary check point.

0
if (!isset($_SERVER['HTTPS']) OR empty($_SERVER['HTTPS'])

isn't that redundant
doesn't empty() check isset()
why have both

0

No, empty just checks if the value of the variable is false, empty string, empty array, etc. It does not check if the variable exists at all. Not making sure it exists before checking its value will lead to throwing a PHP notice.

0

isn't that redundant
doesn't empty() check isset()
why have both

No, seems sensible. If it's not set, it's not set - fine. But it could be set and be empty, which is also something that we don't want. Maybe I missed something.

To break it down...

The variable is not set (!isset) - this is a sensible starter to the consitional statement since a check for 'empty' on a variable that doesn't exist would throw an error.

An alternative of isset($var) AND !empty($var) AND ($var2 == $somevalue) could also be used for the opposite.

0

I totally agree with the Moderator and the Administrator. Item can be set and it can also be empty.

$test = '';

    if(isset($test)){

        echo 'Test is set and is empty';

        }

Edited by lorenzoDAlipio: info added

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.