2

I'm trying to prevent certain pages on my site from being accessed through HTTPS, and (for whatever reason) I want to do it through PHP and not through a .htaccess.

Here's the code I'm using:

if ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ) {
    header("HTTP/1.1 301 Moved Permanently");
    header("Location: http://mydomain.com");
}

But for some odd reason, I'm stuck in an infinite loop, and can't get it to work. When I check the response headers in firebug, I see that the location header is set to https://mydomain.com instead of http://mydomain.com, which is causing the infinite loop.

EDIT: Accessing http://mydomain.com directly does work.

Also note: this works if I send'em to a different page, but not if I send them to the same page. So if I run the above code in mydomain.com/somePage.php, and then try accessing it through https://mydomain.com/somePage.php, it'll properly redirect to (non-SSL-ed) homepage. Only when I redirect them to the same page with a different protocol does it ignore the protocol.

What am I doing wrong?

Improve this question
8
  • 3
    Is it a typo that it says header("Location: http:// and not header("Location: https:// ... or is that what the code actually says? Commented Oct 12, 2011 at 2:01
  • @Dennis: Sorry, you're right. Misread. I'd look for other places in your code that cause a redirect from http->https. Do you have something in httpd.conf/.htaccess? Or even another PHP block elsewhere? Commented Oct 12, 2011 at 2:14
  • Do you need isset or would if (!empty($_SERVER['HTTPS'])) suffice? I'm not sure you need to double on the isset and == 'on'. If it's not https, the $_SERVER['HTTPS'] var will be empty, so just checking that single variable for a value should work - at least that's what I would have assumed. I don't have a server with HTTPS enable to test with right now. Commented Oct 12, 2011 at 2:21
  • What if you remove the 301 header? Commented Oct 12, 2011 at 2:36
  • Quirky. If there isn't an answer to this tomorrow I'll test it on a server at work and see what happens. Commented Oct 12, 2011 at 2:42

3 Answers 3

Reset to default
3

It turns out there was nothing wrong with my code. The server was just setup in a way that was messing with my headers. I'm using engineHosting.com, and I have to say: they were very helpful. After a lot of back & forth with them, here's what they sent me:

We were able to get to the bottom of this and may have it (sic) fixed the issue but the fix in and of itself my cause other issues. Let me explain.

Our architecture is not typical of most web hosts. Your account is actually hosted by twin firewalls, twin intrusion prevention systems, twin load balancers also performing the role of SSL hardware-based acceleration, fronting two apache web nodes, and a massive mysql server backend.

The problem was with how we were doing the SSL acceleration inside the load balancers. We have had a number of clients that wanted to detect when a user was accessing a page that was only meant to be used with https, but never the reverse of wanting to detect when a user was on a page that should be redirected to regular http. Because of this, we had an option enabled on our load balancers called "http wan optimized compression SSL Sites Only" which also rewrites an outbound location header to be https when the requesting url was already https enabled. This is useful when you may have a lot of links to assets on the same URL served dynamically but accidentally wrote the link as http. So this is actually a feature, not a bug (and yes I too dislike that phrase).

To work around your particular use case, we changed the SSL profile for your domain to be "http compression for normal/non-ssl" virtual server setups. You have likely not run into this issue using single server web solutions in the past. The unfortunate consequence of operating in this mode is that the other use case of doing 30x redirects at the server level for redirecting users from http to https may have issues depending on how the redirects are implemented. To be safe, you should validate the methods you will be using in your live site and let me know if you run into any problems.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Heh, this "feature" cost me a morning. Thanks for posting this.
@Populus - are you also on engineHosting?
0

Not completely sure, but here's a couple things I note:

  1. If your .htaccess or server config it set to insist on HTTPS, you won't be able to get around that at the php level.

  2. you left off the trailing slash on http://mydomain.com which creates an implied redirect. Try it with the full actual path in the location -- http://mydomain.com/index.html or http://mydomain.com/index.php for example.

Improve this answer

3 Comments

Would .htaccess redirect after headers are sent from a script?
1) Nope. Like I said in my question, accessing http://mydomain.com directly works fine. 2) I'm running this on the homepage, I do wnat them to be redirected there. 3) What does implied redirect mean?
implied redirect means that there is not a file named "mydomain.com". The server recognizes this and adds the slash for you, then uses the rules from the configuration to search for the default directory file. That's the way web servers work and thats potentially several re-write steps which provide opportunities for there to be a setting which add the https: back in there, if it is the default for the server. Better to be explicit, and not count on hidden things doing what you expect, especially when they aren't.
0

I have a self-hosted server running an HTTPS site. I did a few quick tests, and your code works exactly as expected. Here's my code (verbatim, with only the domain changed):

redir.php

<?php
if ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ) {
    header("HTTP/1.1 301 Moved Permanently");
    header("Location: http://mydomain.com/redir.php");
    exit;
}

if ( !isset($_SERVER['HTTPS']) || !$_SERVER['HTTPS'])
{
   echo "IT'S WORKING!";
}

?>

I would definitely say - as Jared Farrish said in his chat - that it's an issue with the host. Something in their server configuration is forcing the redirect back to HTTPS. I don't think it's a PHP bug. My server is running PHP 5.3.5 with Apache 2.2.17.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.