How enforce that everything on a page has to be from https?

[someguy321]

I want to make sure that a specific page (login.php) only has stuff from my https and none from my (or other) http sites. How can I do this?

[billckr]

You don't want to be doing this with PHP. This is a good for Apache or mod_rewrite or what ever web-server software you are using.  You could use something like;

 

RewriteEngine On

RewriteCond %{SERVER_PORT} !443$

RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]

 

if you really want to use php perhaps something like;

 

if($_SERVER['SERVER_PORT'] != '443') {
    //Force SSL upon this page
    header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
}

 

However, neither of these solutions will ensure that any item on the page it called via SSL. The only way to ensure that is to include it via SSL in the code and using SSL via the web browser. Any item like an image called from say;

 

<img src="http://mydomain.com/images/myimage.jpg"  />

 

Will be insecure because it wasn't called via https, but http, and the users browser will allow access to the page but give them a choice to not load that image. hope this helps. Perhaps others have better solutions..

 

Bill.