$_SERVER['HTTPS'] - undocumented feature?

Hi All,

I've seen many references to the $_SERVER['HTTPS'] variable, which is set to
the string 'on' when the client is connected via HTTPS rather than regular
HTTP. However, I have been unable to find any references to it in the
official PHP documentation (many times in the user contributed notes,
though).

Often, undocumented features go away with future releases, since "nobody
should have been using them anyway," etc. For this reason I am concerned
about using this variable in order to determine if the client is connected
via HTTPS. Is there a better way? Or should I not be concerned about the
variable disappearing/getting renamed?

Sincerely,
-Josh

re: $_SERVER['HTTPS'] - undocumented feature?

On Mon, 15 Nov 2004 18:16:34 +0000, Joshua Beall wrote:
[color=blue]
> Hi All,
>
> I've seen many references to the $_SERVER['HTTPS'] variable, which is set to
> the string 'on' when the client is connected via HTTPS rather than regular
> HTTP. However, I have been unable to find any references to it in the
> official PHP documentation (many times in the user contributed notes,
> though).
>
> Often, undocumented features go away with future releases, since "nobody
> should have been using them anyway," etc. For this reason I am concerned
> about using this variable in order to determine if the client is connected
> via HTTPS. Is there a better way? Or should I not be concerned about the
> variable disappearing/getting renamed?
>
> Sincerely,
> -Josh[/color]

Hello Josh,
Please check this page:
http://es2.php.net/reserved.variables

Quote:
"$_SERVER is an array containing information such as headers, paths, and
script locations. The entries in this array are created by the webserver.
There is no guarantee that every webserver will provide any of these;
servers may omit some, or provide others not listed here. That said, a
large number of these variables are accounted for in the CGI 1.1
specification, so you should be able to expect those."

This basically means that PHP itself has nothing to do with this variable,
since it's up to the webserver to set it or not. Apparently mod_ssl does
set this variable, so you would have to watch this module if it changes or
removes the HTTPS environment variable.

One other way would be to check on which port the user is connected to,
usually port 443 is always https--but then again, it doesn't have to be.
So if it was up to me, I would check the $_SERVER['HTTPS'] setting rather
than the port. Just make sure that your scripts are running on servers
that do use mod_ssl.

DrTebi

re: $_SERVER['HTTPS'] - undocumented feature?

*** Joshua Beall wrote/escribió (Mon, 15 Nov 2004 18:16:34 GMT):[color=blue]
> I've seen many references to the $_SERVER['HTTPS'] variable, which is set to
> the string 'on' when the client is connected via HTTPS rather than regular
> HTTP. However, I have been unable to find any references to it in the
> official PHP documentation (many times in the user contributed notes,
> though).[/color]

These environment variables are created by the SSL module:

http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25


--
-- Álvaro G. Vicario - Burgos, Spain
-- Thank you for not e-mailing me your questions
--

re: $_SERVER['HTTPS'] - undocumented feature?

"Joshua Beall" <jbeall@donotspam.remove.me.heraldic.us> wrote in message
news:6o6md.7395$pP5.5571@trnddc05...[color=blue]
> Hi All,
>
> I've seen many references to the $_SERVER['HTTPS'] variable, which is set[/color]
to[color=blue]
> the string 'on' when the client is connected via HTTPS rather than regular
> HTTP. However, I have been unable to find any references to it in the
> official PHP documentation (many times in the user contributed notes,
> though).
>
> Often, undocumented features go away with future releases, since "nobody
> should have been using them anyway," etc. For this reason I am concerned
> about using this variable in order to determine if the client is connected
> via HTTPS. Is there a better way? Or should I not be concerned about the
> variable disappearing/getting renamed?[/color]

$_SERVER entries are set by the web server. The HTTPS element is set by
Apache modssl. You can find that documented here
(http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25) which I found by
looking in the notes attached to the $_SERVER variable documentation at
(http://us2.php.net/manual/en/reserve...variables.serv
er)

- Virgil

re: $_SERVER['HTTPS'] - undocumented feature?

Dear sir,

https means if your host is a secure server, not the client is connected via
https. it is not undocumented and it is visible in the phpinfo().
$_SERVER['HTTPS'] merely mentions if the server is secure or not and
effectively you can use the server as a secure server.

people do use it and it is an important function. otherwise they would not
have it there.

i think if variables disappear, they are not needed in the first place. at
this moment, i do not think it is any reason to panic.

thanking you

sumeet shroff


"Joshua Beall" <jbeall@donotspam.remove.me.heraldic.us> wrote in message
news:6o6md.7395$pP5.5571@trnddc05...[color=blue]
> Hi All,
>
> I've seen many references to the $_SERVER['HTTPS'] variable, which is set[/color]
to[color=blue]
> the string 'on' when the client is connected via HTTPS rather than regular
> HTTP. However, I have been unable to find any references to it in the
> official PHP documentation (many times in the user contributed notes,
> though).
>
> Often, undocumented features go away with future releases, since "nobody
> should have been using them anyway," etc. For this reason I am concerned
> about using this variable in order to determine if the client is connected
> via HTTPS. Is there a better way? Or should I not be concerned about the
> variable disappearing/getting renamed?
>
> Sincerely,
> -Josh
>
>[/color]