SSL and PHP

[bufster007]

We recently installed SSL on our site. It is using a single directory for SSL and non SSL. I am going to use it for the login, register and checkout page.

However, I am having some weird things happening that hopefully someone has had some experience with.

Forms that used to work fine (both HTTPS and HTTP) are now instead going to index.php/ (another folder?) which I don't know where it gets that page from as its not my normal index.php - instead my CSS, images etc don't load on it, its just a unformatted version of index.php (in both IE and firefox). Properities show image paths on this index.php/ are index.php/images folder/ rather then just /images folder/

I believe the form itself is submitting as normal and going through the code because when I submit the login form and it changes to index.php/ if I click back I am logged in correctly.

If I change it from a form to a hyperlink that passes the variables in the URL it works, but of course I don't want to do it that way for registrations, orders, logins etc. It doesn't matter whether its a https page or not, even my http search is for whatever reason redirecting to index.php/

I don't know why its going to that page, and why its putting the folder / at the end of it.

Any suggestions are welcomed

[sde]

you sure it's not a index.php file in your ssl directory (or non ssl, whatever the opposite of what you're expecting it to be)

i usually use the same directory for ssl and non ssl and if need be, enforce the https at the application level.

[bufster007]

Thanks sde, nope definitly don't have an index.php in my httpsdoc folder. I am quite sure it is showing my normal index.php page, but is putting a / at the end of it (index.php/) which is why the image links no longer work. I am not sure why its breaking out of what its meant to be doing and showing that page.

I did some testing as suggested. Firstly I created a simple form, that worked fine, so I added more details to it and then all of a sudden it started not working.

Turns out:
If my page is http://mydomain.com the form works.
If the page URL is http://www.mydomain.com the form does not work (it goes to index.php/ rather then the test results page).

Now http://www.mydomain.com forms used to work fine before I got SSL, so not sure if its PHP related at all. I think the forms are still running through the code properly (storing variables, logging in etc), its just going to index.php/ for some reason rather then the page its meant to. Someone sugguested a htaccess problem, not sure what that means or if its relevant just yet.

[bufster007]

Note: I don't want to run my entire site in SSL/HTTPS (not that that would fix this problem, just had a quick read of Force SSL/https using .htaccess and mod_rewrite

[sde]

do you have an alias setup for www .example.com in your virtualhost config?

[bufster007]

Ahem.

Thank you sde. I have found what was causing it, my connect file has the following code:

PHP Code:

//redirect to index if someone is posting variables 
  if($_SERVER['REQUEST_METHOD'] == "POST"){
    $referer = parse_url($_SERVER['HTTP_REFERER']);
    //redirect people posting to this website via another
    if($referer['host'] != "mydomain.com"){
      header("Location: http://www.mydomain.com/index.php/");
    }
  } 


Now I have edited this to try and get it to include both HTTP and HTTPS but it is still redirecting me when I submit a form, am I using the or operator incorrectly?

PHP Code:

//redirect to index if someone is posting variables 
  if($_SERVER['REQUEST_METHOD'] == "POST"){
    $referer = parse_url($_SERVER['HTTP_REFERER']);
    
    //redirect people posting to this website via another
    if($referer['host'] != "https://www.mydomain.com" || "http://www.mydomain.com"){
      header("Location: http://www.mydomain.com/index.php");
    }
  } 


With SSL installed it doesn't like this code anymore, even though forms did work on both mydomain.com and www.mydomain.com before.

[sde]

PHP Code:

//redirect to index if someone is posting variables 
  if($_SERVER['REQUEST_METHOD'] == "POST"){
    $referer = parse_url($_SERVER['HTTP_REFERER']);

    echo $referer['host'];
    exit;
  } 


i would do something like this to make sure $referer['host'] is sending what you think it is ... or to figure out what it is sending when it's not working as expected.

[DJMaze]

HTTP_REFERER is a header send by the user agent.
It may or may not exist when the user agent requests a page.

Since the user agent may decide to alter or remove this header, there is no way that you can be 100% sure the referring page comes from your domain.

For example i use the RefControl extension in Firefox to disable HTTP_REFERER or modify it to my liking.
RefControl - Firefox Extension
For my profession this is a great asset to see which dumb-ass company made the website, so that i don't have to apply for a job

Sometimes it is not even the user agent who is stripping the header but a firewall that is removing it from the request to protect anything that requests webpages.

Therefore, the recommended way is to show an error page instead of putting visitors in an endless loop.

[DJMaze]

To improve accessibility you could the reduce the "error trigger".
Use session handling on index.php.

PHP Code:

<?php

session_start();

if ('POST' === $_SERVER['REQUEST_METHOD']) {
    if (!isset($_SESSION['allow_post'])) {
        exit('Please allow cookies!');
    }
}

$_SESSION['allow_post'] = true;
?>

[bufster007]

Thanks DJMaze and sde,

I have included both your code as it was great advice to cover all bases.

When I echo'd it out it was www.mydomain.com, However it kept redirecting rather then letting through www.mydomain.com or mydomain.com so I tried

PHP Code:

if($host != "mydomain.com" && $host != "www.mydomain.com"){

and tried

if($host != "mydomain.com" || $host != "www.mydomain.com"){ 


but it redirected each time, so I ended up with

PHP Code:

if($host != "www.mydomain.com"){ 


As it should always be this generally and it works fine.

Unless they navigate to the site using http://mydomain.com in which case the first link they click on will redirect them, or if they use the search box on the homepage that will redirect them.

Above it I added DJMazes check (very good point!). Thank you both very much.

[DJMaze]

$host = $_SERVER['HTTP_HOST ']; // i assume?