如何在php中将页面重定向到https?
我有一个登录表单:
<form method =POST action="/login.php">
...
</form>
我希望将 login.php 页面重定向到使用 https。
我不想将用户发送到 https://.../login.php 因为他们可能会更改链接。但我想在解析登录表单数据并登录用户之前在服务器端进行重定向。
我找到了示例:
if($_SERVER["HTTPS"] != "on") {
header("HTTP/1.1 301 Moved Permanently");
header("Location: "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
exit();
}
但我没有 $_SERVER["HTTPS"] if我 var_dump($_SERVER);
我确实有 $_SERVER['SERVER_PORT'] 女巫是 80。
有什么想法吗?
谢谢
i have a login form:
<form method =POST action="/login.php">
...
</form>
i would like the login.php page to redirect to using https.
i don't want to send the user to https://.../login.php because they might change the link. but i want to do a redirect on the server side before i parse the login form data and log the user in.
i found and example:
if($_SERVER["HTTPS"] != "on") {
header("HTTP/1.1 301 Moved Permanently");
header("Location: "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
exit();
}
but i don't have $_SERVER["HTTPS"] if i var_dump($_SERVER);
i do have $_SERVER['SERVER_PORT'] witch is 80.
any ideas?
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
如果您允许他们通过纯 HTTP 发布到 /login.php,然后重定向到 HTTPS,那么您就达不到使用 HTTPS 的目的,因为登录信息已经通过互联网以纯文本形式发送。
为了防止用户更改 URL,您可以采取的措施是,如果不是通过 HTTPS,登录页面将拒绝登录。
我用来检查 HTTPS 的使用情况如下:
如果您在默认端口 443 上运行安全服务器,那么您还可以检查这是否是该端口,但 PHP 设置了 $_SERVER如果使用 SSL,['HTTPS'] 值为非空,因此我将检查是否存在该值以获得最佳实践。
编辑:
如果用户手动将 https 更改为 http 并希望通过纯文本发送其信息,则您无法阻止他们,但如果您不允许通过 HTTP 登录,那么即使是正确的信息不会让他们登录,您可以通过使其成为唯一有效的方式来强制他们使用 https。
If you allow them to post to /login.php over plain HTTP and then redirect to HTTPS, you defeat the purpose of using HTTPS because the login information has already been sent in plain text over the internet.
What you could do to prevent the user from changing the URL, is make it so the login page rejects the login if it is not over HTTPS.
What I use to check for the use of HTTPS is the following:
If you are running your secure server on the default port of 443, then you can also check to see if that is the port, but PHP sets the
$_SERVER['HTTPS']value to non-empty if SSL is used so I would check for the presence of that for best practice.EDIT:
If the user is so included to manually change the https to http and want to send their information over plain text, there isn't anything you can do to stop them, but if you disallow login over HTTP, so even the correct information will not log them in, you can force them to use https by making it the only thing that works.
无论您使用什么页面显示登录表单,在填写表单之前都应该已经使用
https://,然后应将其提交到另一个https ://地址。否则,您将使表单容易受到攻击。您可以查看 mod_rewrite 使用
http 自动重定向任何请求://到https://,至少对于您的登录页面而言。Whatever page you use to display your login form should already be using
https://before the form is filled out, and then it should be submitted to anotherhttps://address. Otherwise, you'll leave the form open to attack.You could look into mod_rewrite to automatically redirect any request using
http://tohttps://, at least for your login page.假设您的登录表单页面是由
index.php生成的,您需要将 HTTP 到 HTTPS 重定向的示例代码放在index.php中。这将确保当用户填写表单并提交时,它会通过 HTTPS 而不是 HTTP 提交到/login.php。将此检查放入
login.php中是徒劳的,因为当login.php获取请求并尝试重定向到相应的 HTTPS URL 时,凭据已经以纯文本形式提交给它,这是您应该避免的。您会看到
$_SERVER['SERVER_PORT']为80且$_SERVER["HTTPS"]未设置,当您将检查放入login.php进一步证明登录凭据是通过 HTTP 提交给它的,因此登录凭据从客户端到达您的服务器时未加密。必须遵循我在本回复第一段中所说的内容来避免这种情况。顺便说一句,我不会使用 PHP 来进行这种重定向。 Apache HTTPD 中的
mod_rewrite可以非常方便地处理此类重定向。例如,假设您的登录页面可通过 URL http://example.com/foo/ 访问:
Assuming that your page with the login form is generated by
index.php, you need to put the example code for HTTP to HTTPS redirection inindex.php. This will ensure that when the user fills up the form and submits it, it is submitted to/login.phpvia HTTPS and not HTTP.Putting this check inside
login.phpis futile because by the timelogin.phpgets the request and tries to redirect to the corresponding HTTPS URL, well, the credentials have already been submitted to it as plaintext which is what you should want to avoid.The observation that you see
$_SERVER['SERVER_PORT']to be80and$_SERVER["HTTPS"]to be not set when you put the check insidelogin.phpis a further proof of the fact that login credentials are being submitted to it via HTTP and thus the login credentials are reaching your server from the client unencrypted. This has to be avoided by following what I said in the first paragraph of this response.BTW, I wouldn't use PHP to do this sort of redirection. Such redirections are very conveniently handled by
mod_rewritein Apache HTTPD.An example, assuming that your login page is available at the URL, http://example.com/foo/: