how do I check if the referrer was used HTTP or HTTPS?

On Wed, 3 Dec 2003 15:48:51 -0500, "NotGiven" <noname@nonegiven.net> wrote:
[color=blue]
>I need to verify if the page that led the user to this page used http or
>httpS.
>
>for example, if the use cam to my page from:
>httpS://www.dm.com/sample/foo.php
>
>I want to know as opposed to coming from:
>http://www.dm.com/sample/foo.php
>
>I've tried looking at PORT but it doesn't seem to work properly.[/color]

You can't reliably tell anything from the referrer, since it's optional and
fakeable.

But if you still want to, then just check the first five characters of
$_SERVER['HTTP_REFERER'] ?

--
Andy Hassall (andy@andyh.co.uk) icq(5747695) (http://www.andyh.co.uk)
Space: disk usage analysis tool (http://www.andyhsoftware.co.uk/space)

ya you can't rely on referer since it cheatable, but I suggest you to use
session, when he is in the secure page, you define something like
$_SESSION["haveVisitedSecure"] = true;

then on your second page,
if ($_SESSION["haveVisitedSecure"]) {
//....
} else {
echo "you must come from the secure page";
}

Savut

"Andy Hassall" <andy@andyh.co.uk> wrote in message
news:hqmssvgcovac96r50la2osfp3moo35t9hv@4ax.com... [color=blue]
> On Wed, 3 Dec 2003 15:48:51 -0500, "NotGiven" <noname@nonegiven.net>[/color]
wrote:[color=blue]
>[color=green]
> >I need to verify if the page that led the user to this page used http or
> >httpS.
> >
> >for example, if the use cam to my page from:
> >httpS://www.dm.com/sample/foo.php
> >
> >I want to know as opposed to coming from:
> >http://www.dm.com/sample/foo.php
> >
> >I've tried looking at PORT but it doesn't seem to work properly.[/color]
>
> You can't reliably tell anything from the referrer, since it's optional[/color]
and[color=blue]
> fakeable.
>
> But if you still want to, then just check the first five characters of
> $_SERVER['HTTP_REFERER'] ?
>
> --
> Andy Hassall (andy@andyh.co.uk) icq(5747695) (http://www.andyh.co.uk)
> Space: disk usage analysis tool (http://www.andyhsoftware.co.uk/space)[/color]

That would be great except that the page they are coming from is possible to
get to using http as well as httpS.

What I need is a way to force them to use https.

Barring that, I need a way to test if the page they came from was https.

thanks.


"Savut" <webki@hotmail.com> wrote in message
news:NUHzb.292$%i5.16170@news20.bellglobal.com...[color=blue]
> ya you can't rely on referer since it cheatable, but I suggest you to use
> session, when he is in the secure page, you define something like
> $_SESSION["haveVisitedSecure"] = true;
>
> then on your second page,
> if ($_SESSION["haveVisitedSecure"]) {
> //....
> } else {
> echo "you must come from the secure page";
> }
>
> Savut
>
> "Andy Hassall" <andy@andyh.co.uk> wrote in message
> news:hqmssvgcovac96r50la2osfp3moo35t9hv@4ax.com... [color=green]
> > On Wed, 3 Dec 2003 15:48:51 -0500, "NotGiven" <noname@nonegiven.net>[/color]
> wrote:[color=green]
> >[color=darkred]
> > >I need to verify if the page that led the user to this page used http[/color][/color][/color]
or[color=blue][color=green][color=darkred]
> > >httpS.
> > >
> > >for example, if the use cam to my page from:
> > >httpS://www.dm.com/sample/foo.php
> > >
> > >I want to know as opposed to coming from:
> > >http://www.dm.com/sample/foo.php
> > >
> > >I've tried looking at PORT but it doesn't seem to work properly.[/color]
> >
> > You can't reliably tell anything from the referrer, since it's optional[/color]
> and[color=green]
> > fakeable.
> >
> > But if you still want to, then just check the first five characters of
> > $_SERVER['HTTP_REFERER'] ?
> >
> > --
> > Andy Hassall (andy@andyh.co.uk) icq(5747695) (http://www.andyh.co.uk)
> > Space: disk usage analysis tool (http://www.andyhsoftware.co.uk/space)[/color]
>
>[/color]

well on the first page, you check the URL of the document itself if it's
https or http, if it's https, you set secure to true

on the first page :
if (substr($_SERVER["PHP_SELF"], 0, 5) == "https") {
$_SESSION["secure"] = true;
} else {
$_SESSION["secure"] = false;
}

then on the second, you verify it :
if ($_SESSION["secure"]) {
echo "you were from the secured page";
} else {
echo "cheating";
}

Savut

"NotGiven" <noname@nonegiven.net> wrote in message
news:EWIzb.6$V7.2@bignews3.bellsouth.net...[color=blue]
> That would be great except that the page they are coming from is possible[/color]
to[color=blue]
> get to using http as well as httpS.
>
> What I need is a way to force them to use https.
>
> Barring that, I need a way to test if the page they came from was https.
>
> thanks.
>
>
> "Savut" <webki@hotmail.com> wrote in message
> news:NUHzb.292$%i5.16170@news20.bellglobal.com...[color=green]
> > ya you can't rely on referer since it cheatable, but I suggest you to[/color][/color]
use[color=blue][color=green]
> > session, when he is in the secure page, you define something like
> > $_SESSION["haveVisitedSecure"] = true;
> >
> > then on your second page,
> > if ($_SESSION["haveVisitedSecure"]) {
> > //....
> > } else {
> > echo "you must come from the secure page";
> > }
> >
> > Savut
> >
> > "Andy Hassall" <andy@andyh.co.uk> wrote in message
> > news:hqmssvgcovac96r50la2osfp3moo35t9hv@4ax.com... [color=darkred]
> > > On Wed, 3 Dec 2003 15:48:51 -0500, "NotGiven" <noname@nonegiven.net>[/color]
> > wrote:[color=darkred]
> > >
> > > >I need to verify if the page that led the user to this page used http[/color][/color]
> or[color=green][color=darkred]
> > > >httpS.
> > > >
> > > >for example, if the use cam to my page from:
> > > >httpS://www.dm.com/sample/foo.php
> > > >
> > > >I want to know as opposed to coming from:
> > > >http://www.dm.com/sample/foo.php
> > > >
> > > >I've tried looking at PORT but it doesn't seem to work properly.
> > >
> > > You can't reliably tell anything from the referrer, since it's[/color][/color][/color]
optional[color=blue][color=green]
> > and[color=darkred]
> > > fakeable.
> > >
> > > But if you still want to, then just check the first five characters[/color][/color][/color]
of[color=blue][color=green][color=darkred]
> > > $_SERVER['HTTP_REFERER'] ?
> > >
> > > --
> > > Andy Hassall (andy@andyh.co.uk) icq(5747695) (http://www.andyh.co.uk)
> > > Space: disk usage analysis tool (http://www.andyhsoftware.co.uk/space)[/color]
> >
> >[/color]
>
>[/color]

Regarding this well-known quote, often attributed to NotGiven's famous
"Wed, 3 Dec 2003 15:48:51 -0500" speech:
[color=blue]
> I need to verify if the page that led the user to this page used http or
> httpS.
>
> for example, if the use cam to my page from:
> httpS://www.dm.com/sample/foo.php
>
> I want to know as opposed to coming from:
> http://www.dm.com/sample/foo.php
>
> I've tried looking at PORT but it doesn't seem to work properly.
>
> Any ideas?
>
> Thanks.[/color]

Could I ask why? More details might make it possible to provide a better
solution to the greater problem.

--
-- Rudy Fleminger
-- Join Bytes!
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com

Yes, thanks.

I am doing a series of pages and my hosting company offers a shared SSL cert
to use which the client asked for.

Without a way to force all pages in the directory to be opened using SSL, I
resort to forcing it in the code - PHP.

Thus you can rewrite the URL to access the page without using SSL. So:
https://ssl.myhost.com/sssl.mydomain.com/page1.php

could be rewritten to:
http://www.mydomain.com/page1.php

and viewed. I need to distinguish between what is being loaded using SSL
and not so I can do a location: redirect to the https version.

If anyone knows of a way to do this using Apache, let me know. WIth Apache,
I have tried, SSLRequireSSL directive - doesn't work. Tried directory
cirective - doesn't work.

Thanks.
"FLEB" <soon.the.sp@mmers.and.evil.ones.will.bow-down-to.us> wrote in
message news:1vkulc5jg6vsz.1trhac2nrluel.dlg@40tude.net... [color=blue]
> Regarding this well-known quote, often attributed to NotGiven's famous
> "Wed, 3 Dec 2003 15:48:51 -0500" speech:
>[color=green]
> > I need to verify if the page that led the user to this page used http or
> > httpS.
> >
> > for example, if the use cam to my page from:
> > httpS://www.dm.com/sample/foo.php
> >
> > I want to know as opposed to coming from:
> > http://www.dm.com/sample/foo.php
> >
> > I've tried looking at PORT but it doesn't seem to work properly.
> >
> > Any ideas?
> >
> > Thanks.[/color]
>
> Could I ask why? More details might make it possible to provide a better
> solution to the greater problem.
>
> --
> -- Rudy Fleminger
> -- Join Bytes!
> (put "Hey!" in the Subject line for priority processing!)
> -- http://www.pixelsaredead.com[/color]

Regarding this well-known quote, often attributed to NotGiven's famous
"Thu, 4 Dec 2003 17:23:51 -0500" speech:
[color=blue]
> Yes, thanks.
>
> I am doing a series of pages and my hosting company offers a shared SSL cert
> to use which the client asked for.
>
> Without a way to force all pages in the directory to be opened using SSL, I
> resort to forcing it in the code - PHP.
>
> Thus you can rewrite the URL to access the page without using SSL. So:
> https://ssl.myhost.com/sssl.mydomain.com/page1.php
>
> could be rewritten to:
> http://www.mydomain.com/page1.php
>
> and viewed. I need to distinguish between what is being loaded using SSL
> and not so I can do a location: redirect to the https version.
>
> If anyone knows of a way to do this using Apache, let me know. WIth Apache,
> I have tried, SSLRequireSSL directive - doesn't work. Tried directory
> cirective - doesn't work.
>
> Thanks.
> "FLEB" <soon.the.sp@mmers.and.evil.ones.will.bow-down-to.us> wrote in
> message news:1vkulc5jg6vsz.1trhac2nrluel.dlg@40tude.net... [color=green]
>> Regarding this well-known quote, often attributed to NotGiven's famous
>> "Wed, 3 Dec 2003 15:48:51 -0500" speech:
>>[color=darkred]
>>> I need to verify if the page that led the user to this page used http or
>>> httpS.
>>>
>>> for example, if the use cam to my page from:
>>> httpS://www.dm.com/sample/foo.php
>>>
>>> I want to know as opposed to coming from:
>>> http://www.dm.com/sample/foo.php
>>>
>>> I've tried looking at PORT but it doesn't seem to work properly.
>>>
>>> Any ideas?
>>>
>>> Thanks.[/color]
>>
>> Could I ask why? More details might make it possible to provide a better
>> solution to the greater problem.
>>
>> --
>> -- Rudy Fleminger
>> -- Join Bytes!
>> (put "Hey!" in the Subject line for priority processing!)
>> -- http://www.pixelsaredead.com[/color][/color]

Okay, I'm really in over my head on this one (I don't even know if I HAVE
an SSL-enabled server, much less used the features), but can you get it to
check whether the *current* page is being viewed SSL, then redirect to the
SSL version of itself it's not.

I'm just thinking that any checks would be worlds more safe and reliable if
it was the current page being checked, since HTTP is stateless (preserves
no information) and all information about previous activity has to be
continuously sent back-and-forth (with possible spoofing or security
implications).

--
-- Rudy Fleminger
-- Join Bytes!
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com

My solution before would work well, this is a 100% proof as you can't rely
on referer.

Savut

"FLEB" <soon.the.sp@mmers.and.evil.ones.will.bow-down-to.us> wrote in
message news:m82kmnzf1okb.1klcwsg500zvd$.dlg@40tude.net... [color=blue]
> Regarding this well-known quote, often attributed to NotGiven's famous
> "Thu, 4 Dec 2003 17:23:51 -0500" speech:
>[color=green]
> > Yes, thanks.
> >
> > I am doing a series of pages and my hosting company offers a shared SSL[/color][/color]
cert[color=blue][color=green]
> > to use which the client asked for.
> >
> > Without a way to force all pages in the directory to be opened using[/color][/color]
SSL, I[color=blue][color=green]
> > resort to forcing it in the code - PHP.
> >
> > Thus you can rewrite the URL to access the page without using SSL. So:
> > https://ssl.myhost.com/sssl.mydomain.com/page1.php
> >
> > could be rewritten to:
> > http://www.mydomain.com/page1.php
> >
> > and viewed. I need to distinguish between what is being loaded using[/color][/color]
SSL[color=blue][color=green]
> > and not so I can do a location: redirect to the https version.
> >
> > If anyone knows of a way to do this using Apache, let me know. WIth[/color][/color]
Apache,[color=blue][color=green]
> > I have tried, SSLRequireSSL directive - doesn't work. Tried directory
> > cirective - doesn't work.
> >
> > Thanks.
> > "FLEB" <soon.the.sp@mmers.and.evil.ones.will.bow-down-to.us> wrote in
> > message news:1vkulc5jg6vsz.1trhac2nrluel.dlg@40tude.net... [color=darkred]
> >> Regarding this well-known quote, often attributed to NotGiven's famous
> >> "Wed, 3 Dec 2003 15:48:51 -0500" speech:
> >>
> >>> I need to verify if the page that led the user to this page used http[/color][/color][/color]
or[color=blue][color=green][color=darkred]
> >>> httpS.
> >>>
> >>> for example, if the use cam to my page from:
> >>> httpS://www.dm.com/sample/foo.php
> >>>
> >>> I want to know as opposed to coming from:
> >>> http://www.dm.com/sample/foo.php
> >>>
> >>> I've tried looking at PORT but it doesn't seem to work properly.
> >>>
> >>> Any ideas?
> >>>
> >>> Thanks.
> >>
> >> Could I ask why? More details might make it possible to provide a[/color][/color][/color]
better[color=blue][color=green][color=darkred]
> >> solution to the greater problem.
> >>
> >> --
> >> -- Rudy Fleminger
> >> -- Join Bytes!
> >> (put "Hey!" in the Subject line for priority processing!)
> >> -- http://www.pixelsaredead.com[/color][/color]
>
> Okay, I'm really in over my head on this one (I don't even know if I HAVE
> an SSL-enabled server, much less used the features), but can you get it to
> check whether the *current* page is being viewed SSL, then redirect to the
> SSL version of itself it's not.
>
> I'm just thinking that any checks would be worlds more safe and reliable[/color]
if[color=blue]
> it was the current page being checked, since HTTP is stateless (preserves
> no information) and all information about previous activity has to be
> continuously sent back-and-forth (with possible spoofing or security
> implications).
>
> --
> -- Rudy Fleminger
> -- Join Bytes!
> (put "Hey!" in the Subject line for priority processing!)
> -- http://www.pixelsaredead.com[/color]