#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Posts
    390
    Rep Power
    48

    Problem when redirecting to force SSL


    Hello all,

    I am using the following code to enforce HTTPS

    PHP Code:
        if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] !== 'on') {
            
    header('Location:https://www.domain.com'.$_SERVER['REQUEST_URI']);    
        } 
    However when http:// is purposely typed into the address bar of the Chrome browser, it does redirect to https:// but instead of the green padlock, there is a gray one with a yellow triangle. when you click on it, it says: "However, this page contains other resources which are not secure."

    There is no HTML on that page at all and the above is the only PHP. Refreshing the page shows the green padlock.

    What is going on?
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    I think the error message is pretty straightforward: One of the resources (an image, a JavaScript file, a .css file, whatever) has not been transmitted over HTTPS.

    Open the developer console of your browser (F12) and go to the "Network" tab. It lists all requests. The URLs starting with "http://" instead of "https://" are the issues.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Posts
    390
    Rep Power
    48
    Thanks. The page is empty! There is no HTML at all, let alone scripts and images.

    This is the whole script:

    PHP Code:
    <?php

        
    if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] !== 'on') {
            
    header("HTTP/1.1 301 Moved Permanently");
            
    header('Location:https://www.domain.com'.$_SERVER['REQUEST_URI']);    
        }

    ?>
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Posts
    390
    Rep Power
    48
    The same thing seems to be happening with Twitter but not Facebook! Visit both these sites but remove the S from https. What is Facebook doing right that Twitter isn't?

    Also the Twitter page has a latency of redirecting in 1ms. How on Earth is that possible? My page takes about 400ms.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Posts
    390
    Rep Power
    48
    Another question; is there any advantage in using Apache .htaccess to do a redirection instead of using PHP?
  10. #6
  11. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,068
    Rep Power
    9398
    I'm not seeing that behavior.

    The code you have in your script is great and all, but what is the actual output?
    And do find out what URLs are causing the problem. That will be a very big indication as to what's going on.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Posts
    390
    Rep Power
    48
    Originally Posted by requinix
    I'm not seeing that behavior.

    The code you have in your script is great and all, but what is the actual output?
    And do find out what URLs are causing the problem. That will be a very big indication as to what's going on.
    There is no other output; that is all the code. It happens with Google too.
  14. #8
  15. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,068
    Rep Power
    9398
    Maybe you have answered the question but I can't tell for sure because you keep talking about the code.

    Forget the code for a second. Pull up the page in your browser such that it gives you the insecure content warning. Then hit F12 to bring up the built-in tools (not View Source as that might refresh the page).

    Now, what do you see in the Elements tab? What HTML is there?

IMN logo majestic logo threadwatch logo seochat tools logo