424,306 Members | 1,035 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,306 IT Pros & Developers. It's quick & easy.

how do I check if the referrer was used HTTP or HTTPS?

P: n/a
I need to verify if the page that led the user to this page used http or
httpS.

for example, if the use cam to my page from:
httpS://www.dm.com/sample/foo.php

I want to know as opposed to coming from:
http://www.dm.com/sample/foo.php

I've tried looking at PORT but it doesn't seem to work properly.

Any ideas?

Thanks.
Jul 17 '05 #1
Share this Question
Share on Google+
8 Replies


P: n/a
On Wed, 3 Dec 2003 15:48:51 -0500, "NotGiven" <no****@nonegiven.net> wrote:
I need to verify if the page that led the user to this page used http or
httpS.

for example, if the use cam to my page from:
httpS://www.dm.com/sample/foo.php

I want to know as opposed to coming from:
http://www.dm.com/sample/foo.php

I've tried looking at PORT but it doesn't seem to work properly.


You can't reliably tell anything from the referrer, since it's optional and
fakeable.

But if you still want to, then just check the first five characters of
$_SERVER['HTTP_REFERER'] ?

--
Andy Hassall (an**@andyh.co.uk) icq(5747695) (http://www.andyh.co.uk)
Space: disk usage analysis tool (http://www.andyhsoftware.co.uk/space)
Jul 17 '05 #2

P: n/a
ya you can't rely on referer since it cheatable, but I suggest you to use
session, when he is in the secure page, you define something like
$_SESSION["haveVisitedSecure"] = true;

then on your second page,
if ($_SESSION["haveVisitedSecure"]) {
//....
} else {
echo "you must come from the secure page";
}

Savut

"Andy Hassall" <an**@andyh.co.uk> wrote in message
news:hq********************************@4ax.com...
On Wed, 3 Dec 2003 15:48:51 -0500, "NotGiven" <no****@nonegiven.net> wrote:
I need to verify if the page that led the user to this page used http or
httpS.

for example, if the use cam to my page from:
httpS://www.dm.com/sample/foo.php

I want to know as opposed to coming from:
http://www.dm.com/sample/foo.php

I've tried looking at PORT but it doesn't seem to work properly.
You can't reliably tell anything from the referrer, since it's optional

and fakeable.

But if you still want to, then just check the first five characters of
$_SERVER['HTTP_REFERER'] ?

--
Andy Hassall (an**@andyh.co.uk) icq(5747695) (http://www.andyh.co.uk)
Space: disk usage analysis tool (http://www.andyhsoftware.co.uk/space)

Jul 17 '05 #3

P: n/a
That would be great except that the page they are coming from is possible to
get to using http as well as httpS.

What I need is a way to force them to use https.

Barring that, I need a way to test if the page they came from was https.

thanks.
"Savut" <we***@hotmail.com> wrote in message
news:NU*****************@news20.bellglobal.com...
ya you can't rely on referer since it cheatable, but I suggest you to use
session, when he is in the secure page, you define something like
$_SESSION["haveVisitedSecure"] = true;

then on your second page,
if ($_SESSION["haveVisitedSecure"]) {
//....
} else {
echo "you must come from the secure page";
}

Savut

"Andy Hassall" <an**@andyh.co.uk> wrote in message
news:hq********************************@4ax.com...
On Wed, 3 Dec 2003 15:48:51 -0500, "NotGiven" <no****@nonegiven.net>

wrote:
I need to verify if the page that led the user to this page used http orhttpS.

for example, if the use cam to my page from:
httpS://www.dm.com/sample/foo.php

I want to know as opposed to coming from:
http://www.dm.com/sample/foo.php

I've tried looking at PORT but it doesn't seem to work properly.


You can't reliably tell anything from the referrer, since it's optional

and
fakeable.

But if you still want to, then just check the first five characters of
$_SERVER['HTTP_REFERER'] ?

--
Andy Hassall (an**@andyh.co.uk) icq(5747695) (http://www.andyh.co.uk)
Space: disk usage analysis tool (http://www.andyhsoftware.co.uk/space)


Jul 17 '05 #4

P: n/a
well on the first page, you check the URL of the document itself if it's
https or http, if it's https, you set secure to true

on the first page :
if (substr($_SERVER["PHP_SELF"], 0, 5) == "https") {
$_SESSION["secure"] = true;
} else {
$_SESSION["secure"] = false;
}

then on the second, you verify it :
if ($_SESSION["secure"]) {
echo "you were from the secured page";
} else {
echo "cheating";
}

Savut

"NotGiven" <no****@nonegiven.net> wrote in message
news:EW**********@bignews3.bellsouth.net...
That would be great except that the page they are coming from is possible to get to using http as well as httpS.

What I need is a way to force them to use https.

Barring that, I need a way to test if the page they came from was https.

thanks.
"Savut" <we***@hotmail.com> wrote in message
news:NU*****************@news20.bellglobal.com...
ya you can't rely on referer since it cheatable, but I suggest you to use
session, when he is in the secure page, you define something like
$_SESSION["haveVisitedSecure"] = true;

then on your second page,
if ($_SESSION["haveVisitedSecure"]) {
//....
} else {
echo "you must come from the secure page";
}

Savut

"Andy Hassall" <an**@andyh.co.uk> wrote in message
news:hq********************************@4ax.com...
On Wed, 3 Dec 2003 15:48:51 -0500, "NotGiven" <no****@nonegiven.net>

wrote:

>I need to verify if the page that led the user to this page used http or >httpS.
>
>for example, if the use cam to my page from:
>httpS://www.dm.com/sample/foo.php
>
>I want to know as opposed to coming from:
>http://www.dm.com/sample/foo.php
>
>I've tried looking at PORT but it doesn't seem to work properly.

You can't reliably tell anything from the referrer, since it's optional and
fakeable.

But if you still want to, then just check the first five characters

of $_SERVER['HTTP_REFERER'] ?

--
Andy Hassall (an**@andyh.co.uk) icq(5747695) (http://www.andyh.co.uk)
Space: disk usage analysis tool (http://www.andyhsoftware.co.uk/space)



Jul 17 '05 #5

P: n/a
Regarding this well-known quote, often attributed to NotGiven's famous
"Wed, 3 Dec 2003 15:48:51 -0500" speech:
I need to verify if the page that led the user to this page used http or
httpS.

for example, if the use cam to my page from:
httpS://www.dm.com/sample/foo.php

I want to know as opposed to coming from:
http://www.dm.com/sample/foo.php

I've tried looking at PORT but it doesn't seem to work properly.

Any ideas?

Thanks.


Could I ask why? More details might make it possible to provide a better
solution to the greater problem.

--
-- Rudy Fleminger
-- sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com
Jul 17 '05 #6

P: n/a
Yes, thanks.

I am doing a series of pages and my hosting company offers a shared SSL cert
to use which the client asked for.

Without a way to force all pages in the directory to be opened using SSL, I
resort to forcing it in the code - PHP.

Thus you can rewrite the URL to access the page without using SSL. So:
https://ssl.myhost.com/sssl.mydomain.com/page1.php

could be rewritten to:
http://www.mydomain.com/page1.php

and viewed. I need to distinguish between what is being loaded using SSL
and not so I can do a location: redirect to the https version.

If anyone knows of a way to do this using Apache, let me know. WIth Apache,
I have tried, SSLRequireSSL directive - doesn't work. Tried directory
cirective - doesn't work.

Thanks.
"FLEB" <so*********@mmers.and.evil.ones.will.bow-down-to.us> wrote in
message news:1v*****************************@40tude.net...
Regarding this well-known quote, often attributed to NotGiven's famous
"Wed, 3 Dec 2003 15:48:51 -0500" speech:
I need to verify if the page that led the user to this page used http or
httpS.

for example, if the use cam to my page from:
httpS://www.dm.com/sample/foo.php

I want to know as opposed to coming from:
http://www.dm.com/sample/foo.php

I've tried looking at PORT but it doesn't seem to work properly.

Any ideas?

Thanks.


Could I ask why? More details might make it possible to provide a better
solution to the greater problem.

--
-- Rudy Fleminger
-- sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com

Jul 17 '05 #7

P: n/a
Regarding this well-known quote, often attributed to NotGiven's famous
"Thu, 4 Dec 2003 17:23:51 -0500" speech:
Yes, thanks.

I am doing a series of pages and my hosting company offers a shared SSL cert
to use which the client asked for.

Without a way to force all pages in the directory to be opened using SSL, I
resort to forcing it in the code - PHP.

Thus you can rewrite the URL to access the page without using SSL. So:
https://ssl.myhost.com/sssl.mydomain.com/page1.php

could be rewritten to:
http://www.mydomain.com/page1.php

and viewed. I need to distinguish between what is being loaded using SSL
and not so I can do a location: redirect to the https version.

If anyone knows of a way to do this using Apache, let me know. WIth Apache,
I have tried, SSLRequireSSL directive - doesn't work. Tried directory
cirective - doesn't work.

Thanks.
"FLEB" <so*********@mmers.and.evil.ones.will.bow-down-to.us> wrote in
message news:1v*****************************@40tude.net...
Regarding this well-known quote, often attributed to NotGiven's famous
"Wed, 3 Dec 2003 15:48:51 -0500" speech:
I need to verify if the page that led the user to this page used http or
httpS.

for example, if the use cam to my page from:
httpS://www.dm.com/sample/foo.php

I want to know as opposed to coming from:
http://www.dm.com/sample/foo.php

I've tried looking at PORT but it doesn't seem to work properly.

Any ideas?

Thanks.


Could I ask why? More details might make it possible to provide a better
solution to the greater problem.

--
-- Rudy Fleminger
-- sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com


Okay, I'm really in over my head on this one (I don't even know if I HAVE
an SSL-enabled server, much less used the features), but can you get it to
check whether the *current* page is being viewed SSL, then redirect to the
SSL version of itself it's not.

I'm just thinking that any checks would be worlds more safe and reliable if
it was the current page being checked, since HTTP is stateless (preserves
no information) and all information about previous activity has to be
continuously sent back-and-forth (with possible spoofing or security
implications).

--
-- Rudy Fleminger
-- sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com
Jul 17 '05 #8

P: n/a
My solution before would work well, this is a 100% proof as you can't rely
on referer.

Savut

"FLEB" <so*********@mmers.and.evil.ones.will.bow-down-to.us> wrote in
message news:m8*****************************@40tude.net...
Regarding this well-known quote, often attributed to NotGiven's famous
"Thu, 4 Dec 2003 17:23:51 -0500" speech:
Yes, thanks.

I am doing a series of pages and my hosting company offers a shared SSL cert to use which the client asked for.

Without a way to force all pages in the directory to be opened using SSL, I resort to forcing it in the code - PHP.

Thus you can rewrite the URL to access the page without using SSL. So:
https://ssl.myhost.com/sssl.mydomain.com/page1.php

could be rewritten to:
http://www.mydomain.com/page1.php

and viewed. I need to distinguish between what is being loaded using SSL and not so I can do a location: redirect to the https version.

If anyone knows of a way to do this using Apache, let me know. WIth Apache, I have tried, SSLRequireSSL directive - doesn't work. Tried directory
cirective - doesn't work.

Thanks.
"FLEB" <so*********@mmers.and.evil.ones.will.bow-down-to.us> wrote in
message news:1v*****************************@40tude.net...
Regarding this well-known quote, often attributed to NotGiven's famous
"Wed, 3 Dec 2003 15:48:51 -0500" speech:

I need to verify if the page that led the user to this page used http or httpS.

for example, if the use cam to my page from:
httpS://www.dm.com/sample/foo.php

I want to know as opposed to coming from:
http://www.dm.com/sample/foo.php

I've tried looking at PORT but it doesn't seem to work properly.

Any ideas?

Thanks.

Could I ask why? More details might make it possible to provide a better solution to the greater problem.

--
-- Rudy Fleminger
-- sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com

Okay, I'm really in over my head on this one (I don't even know if I HAVE
an SSL-enabled server, much less used the features), but can you get it to
check whether the *current* page is being viewed SSL, then redirect to the
SSL version of itself it's not.

I'm just thinking that any checks would be worlds more safe and reliable

if it was the current page being checked, since HTTP is stateless (preserves
no information) and all information about previous activity has to be
continuously sent back-and-forth (with possible spoofing or security
implications).

--
-- Rudy Fleminger
-- sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com

Jul 17 '05 #9

This discussion thread is closed

Replies have been disabled for this discussion.