[pmwiki-users] "Bug" when installing to a secure server?

HaganFox haganfox at users.sourceforge.net
Thu Dec 21 20:36:53 CST 2006


<christian.ridderstrom <at> gmail.com> writes:
> On Wed, 20 Dec 2006, Patrick R. Michaud wrote:
[...]
> >> I think you may rely on the HTTPS environment variable.
> >
> > Hmm.  It's annoying that none of the Apache/mod_ssl docs
> > actually say what value the HTTPS environment variable will
> > be set to when running via a secure connection.
> >
> > But based on the phpinfo you've given above I guess we'll
> > just assume 'https:' whenever $_SERVER['HTTPS'] is 'on', and
> > 'http:' otherwise.

I looked into this quite a bit when I wrote the SwitchToSSLMode recipe[1] and
decided that "whenever $_SERVER['HTTPS'] is 'on'" is a fairly reliable test.

I think these are accurate:

if ($_SERVER['HTTPS'] == 'on') { # definitely SSL }
if (!isset($_SERVER['HTTPS'])) { # definitely not SSL }
if ($_SERVER['HTTPS'] == 'off') { # definitely not SSL }
if ($_SERVER['SERVER_PORT'] == '443') { # extremely likely SSL }
if ($_SERVER['SERVER_PORT'] == '80') { # very likely not SSL }

> I just checked using
> 
>  	echo "HTTPS: '". $_SERVER['HTTPS'] ."'";
> 
> On my secure installation the result was 'on', and on a public I just got 
> what I think is an empty string, i.e. ''.

That's good feedback.  Just to be sure I understand, the public server is also
HTTPS, correct?

Assuming so, I suspect

if (@$_SERVER['HTTPS'] == 'on'
 || @$_SERVER['SERVER_PORT'] == '443') { # ... }

would work on both of those servers.   I think it would virtually never detect
HTTPS in error, except if a server is using port 443 and not HTTPS.  I don't
think that's likely to happen, and even if it does the wiki administrator can
always set $ScriptUrl explicitly.

Hagan

[1] http://www.pmwiki.org/wiki/Cookbook/SwitchToSSLMode





More information about the pmwiki-users mailing list