使用 PHP 检查页面是否通过 SSL 访问
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5100189/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Use PHP to check if page was accessed with SSL
提问by Spidy
Is there a way to check if the current page was opened with SSL? For example, I want my login page (login.php) to check if it was accessed using SSL (https://mywebserver.com/login.php). If not, redirect them to the SSL version of the page.
有没有办法检查当前页面是否使用 SSL 打开?例如,我希望我的登录页面 (login.php) 检查它是否是使用 SSL (https://mywebserver.com/login.php) 访问的。如果没有,请将它们重定向到页面的 SSL 版本。
Pretty much, I want to enfore that the user uses the page securely.
几乎,我想确保用户安全地使用该页面。
回答by Long Ears
You should be able to check that $_SERVER['HTTPS']is set, e.g.:
您应该能够检查是否$_SERVER['HTTPS']已设置,例如:
if (empty($_SERVER['HTTPS'])) {
header('Location: https://mywebserver.com/login.php');
exit;
}
回答by Baptiste Ménadier
Be careful. On my IIS server, $_SERVER['HTTPS'] is not empty but has the value 'off'.
当心。在我的 IIS 服务器上,$_SERVER['HTTPS'] 不为空,但值为 'off'。
So i had to do
所以我不得不做
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
// no SSL request
}
回答by Saeven
You'll find this may not work if you are working over forwarded protocols. For example, Amazon's ELB can handle SSL negotiation and interact with your app servers over port 80.
如果您正在处理转发的协议,您会发现这可能不起作用。例如,Amazon 的 ELB 可以处理 SSL 协商并通过端口 80 与您的应用服务器交互。
This block handles that:
该块处理:
public function isSSL()
{
if( !empty( $_SERVER['https'] ) )
return true;
if( !empty( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' )
return true;
return false;
}
回答by Neeraj Singh
Well, Here is another chunk of code. The code will return full url with https/http.
好吧,这是另一段代码。该代码将返回带有 https/http 的完整 url。
<?php
/**
* Check whether URL is HTTPS/HTTP
* @return boolean [description]
*/
function isSecure()
{
if (
( ! empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
|| ( ! empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
|| ( ! empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on')
|| (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443)
|| (isset($_SERVER['HTTP_X_FORWARDED_PORT']) && $_SERVER['HTTP_X_FORWARDED_PORT'] == 443)
|| (isset($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https')
) {
return true;
} else {
return false;
}
}
/**
* Example Use
*/
define('APP_URL', (isSecure() ? 'https' : 'http') . "://{$_SERVER['SERVER_NAME']}".str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']));
echo APP_URL;
/**
* +++++++++++++++++++++++++
* OR - One line Code
* +++++++++++++++++++++++++
*/
define('APP_URL', ((( ! empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || ( ! empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') || ( ! empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') || (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443) || (isset($_SERVER['HTTP_X_FORWARDED_PORT']) && $_SERVER['HTTP_X_FORWARDED_PORT'] == 443) || (isset($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https') ) ? 'https' : 'http') . "://{$_SERVER['SERVER_NAME']}".str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']));
echo APP_URL;
?>
回答by Farray
<?php
if ( !empty( $_SERVER['HTTPS'] ) ) {
//do secure stuff
}else{
//warn or redirect or whatever
}
?>
回答by Pacerier
Another method is to check for the existence of HTTPS cookies. First your server needs to send the browser a cookie with the secureflag:
另一种方法是检查 HTTPS cookie 是否存在。首先,您的服务器需要向浏览器发送一个带有secure标志的 cookie :
Set-Cookie:some_key=some_value;secure
After your server has sent the browser the cookie, whenever the browser requests a page from your server, it will send along the secure cookie some_key=some_valueonly ifit is requesting a HTTPS page. This means that if you see the existence of the cookie some_key=some_valueyou know that the browser is requesting a HTTPS page. Voila!
在您的服务器向浏览器发送 cookie 后,每当浏览器从您的服务器请求页面时,它some_key=some_value只会在请求 HTTPS 页面时发送安全 cookie 。这意味着如果您看到 cookie 的存在,some_key=some_value您就知道浏览器正在请求 HTTPS 页面。瞧!
Browser support is very good, as this is fundamental to security. Browsers without support for HTTPS cookies are Firesheepablewhen users request pages from non-HSTSed domains.
浏览器支持非常好,因为这是安全的基础。不为HTTPS饼干支持浏览器是Firesheepable当用户请求来自非HSTSed域页。
For more info, see:
有关更多信息,请参阅:
回答by Konst
Just to add that in case of nginx, the way to check for https is:
只是补充一下,在 nginx 的情况下,检查 https 的方法是:
if (isset($_SERVER['SERVER_PORT']) &&
($_SERVER['SERVER_PORT'] === '443')) {
return 'https';
}
