How to use SSL / HTTPS effectively in your PHP website

So, you’ve got a big website with thousands of members, it brings in $50 a day, and your community couldn’t be happier. What could be better? HTTPS could be better.

There’s just something so exciting about that little padlock appearing beside your domain name. To your customers it shows that you care about their online safety, and that you want them to feel safe.

But, HTTPS can be a complete pain to code, and many people go about it completely the wrong way. So here’s my entry to help those of you struggling with integrating HTTPS in PHP.

Look to the right – wouldn’t you feel safer seeing padlocks everywhere? Your customers would too. But it really doesn’t need to be everywhere. If you served 100,000 pages a day, chances are only 1,000 of those pages need to be served securely. If we were running a shop front, selling computer parts, this is how the user’s actions would look in an ideal world:

1. User types in www.yourshop.co.uk and presses enter.
2. They type ‘computer monitor lead’ into the search box and hit enter.
3. They see that you have a wide range of leads available and spot the one they want. So they click ‘Add To Cart’.
4. They notice a cool TV Tuner in the similar items section, so they click that. Then they click ‘Add To Cart’ again.
5. Now they’ve had enough of running up a bill, so they click ‘Checkout’.
6. They type in their details, such as their first name, last name and address.
7. They fill in their credit card numbers.
8. They click Process and wait.
9. Your site serves them with the Checkout Complete page.

1. Users Don’t Like Unexpected Messages

First, avoid prompting those horrible error messages that warn the user of insecure data on a secure page. These are usually present when the page includes links to images on other servers that aren’t secure – but it can also happen if you use full URLs instead of relative URLs. Example:

WRONG: <img src=”http://www.yourshop.co.uk/image/robodog.jpg”>

CORRECT: <img src=”/image/robodog.jpg”>

You see? Use relative paths and you won’t run into this problem. As for images on other websites, upload them on to your own site. Example:

Evading these error messages helps add to the user experience.

2. Make HTTPS Easy

Manually linking to HTTPS and HTTP is a nightmare, and you’ll probably always be correcting links. It also doesn’t make for good error correction. Here’s how to do it effectively.

In every script you think should be served via HTTPS, place $securePage=1 at the very beginning of the script – that’s BEFORE your config script.

In your config script, we will place HTTPS detection code to redirect if appropriate.

      if ($_SERVER['HTTPS']=='on') {
        // we are on a secure page.
        if (!$securepage) {
          // but we shouldn't be!
          $url='http://www.yourshop.co.uk'.$_SERVER['REQUEST_URI'];
          header('location: '.$url);
          exit;
        }
      } else {
        // we aren't on a secure page.
        if ($securepage) {
          // but we should be!
          $url='https://www.yourshop.co.uk'.$_SERVER['REQUEST_URI'];
          header('location: '.$url);
          exit;
        }
      }

So if we’re currently in HTTPS mode, but $securePage doesn’t equal 1, the config script will redirect to HTTP mode. And the same the other way round – if $securePage says we should be serving secure pages, config will redirect to HTTPS mode.

This is a simple yet effective way of enforcing secure behaviour. It doesn’t mean that you can’t provide full URL links where they are appropriate – and it is recommended that you do so if you can.

Let me know if you use my code in your own projects.

This entry was posted on Thursday, December 18th, 2008 at 8:25 am and is filed under Programming. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.