faqts : Computers : Programming : Languages : PHP : Not Quite PHP : SSL

+ Search
 Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

7 of 11 people (64%) answered Yes
Recently 6 of 10 people (60%) answered Yes

Entry

How can I make 100% sure that the server uses a SSL connection?
How to check if SSL is active?

Sep 1st, 2001 12:09
Hans Raaf, 


I can only tell something about Apache (1.3.20) with mod_ssl (2.8.4)
running php4.0.6 or php3.0.16

For PHP4:

There are two Informations in HTTP_SERVER_VARS (php4) related to this 
question (see phpinfo() output)

HTTP_SERVER_PORT
HTTPS

For PHP3:

Hmm... HTTP_SERVER_VARS seems not to exist here.. but both values exist 
in the $GLOBALS Array. This one can be "faked" using something like 
http://test.me.dom/?SERVER_PORT=443&HTTPS='on'

So I've written following code to deal with this:

<?php
function is_ssl_php3($port=443) {
/* If you are paranoid check this too:
 if(isset($HTTP_GET_VARS["SERVER_PORT"])) return false;
 if(isset($HTTP_POST_VARS["SERVER_PORT"])) return false;
 if(isset($HTTP_COOKIE_VARS["SERVER_PORT"])) return false;
*/
 if((!isset($GLOBALS["SERVER_PORT"])) ||
  ($GLOBALS["SERVER_PORT"]!=$port)) return false;
 if(isset($HTTP_GET_VARS["HTTPS"])) return false;
 if(isset($HTTP_POST_VARS["HTTPS"])) return false;
 if(isset($HTTP_COOKIE_VARS["HTTPS"])) return false;
 if((!isset($GLOBALS["HTTPS"])) ||
  ($GLOBALS["HTTPS"]!="on")) return false;
	return true;
}

function is_ssl_php4($port=443) {
 if(@$GLOBALS["HTTP_SERVER_VARS"]["SERVER_PORT"]!=$port) return false;
 if(@$GLOBALS["HTTP_SERVER_VARS"]["HTTPS"]!="on") return false;
 return true;
}

print("SV HTTPS: '".$HTTP_SERVER_VARS["HTTPS"]."'<br>");
print("SV PORT: '".$HTTP_SERVER_VARS["SERVER_PORT"]."'<br>");
print("GL HTTPS: '".$GLOBALS["HTTPS"]."'<br>");
print("GL PORT: '".$GLOBALS["SERVER_PORT"]."'<br>");

if(is_ssl_php3()) {
 print("PHP3: Is SSL!<br>");
} else {
 print("PHP3: Not SSL!<br>");
}

if(is_ssl_php4()) {
 print("PHP4: Is SSL!<br>");
} else {
 print("PHP4: Not SSL!<br>");
}
?>

Output for 'https://real.ssl-server.dom/' on php3:

SV HTTPS: ''
SV PORT: ''
GL HTTPS: 'on'
GL PORT: '443'
PHP3: Is SSL!
PHP4: Not SSL!

Output for 'https://real.ssl-server.dom/' on php4:

SV HTTPS: 'on'
SV PORT: '443'
GL HTTPS: 'on'
GL PORT: '443'
PHP3: Is SSL!
PHP4: Is SSL!

And... just to illustrate part of the Problems:

Output for the url 'http://notareal.ssl-server.dom/?
SERVER_PORT=443&HTTPS=on' on php3:

SV HTTPS: ''
SV PORT: ''
GL HTTPS: 'on'
GL PORT: '80'
PHP3: Not SSL!
PHP4: Not SSL!

The Port in "GLOBALS" seems to be okay.. hmmm.. you decide!
HTTPS is of course not needed if you are sure that the port 443
is enough information..

In that case:

 if($GLOBALS["SERVER_PORT"]==443) print("is ssl");

is the short answer :)

- Hans Raaf