Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

HTTP to HTTPS and back solution

Cabbit

Cabbit

macrumors 68020
Original poster
Jan 30, 2006
2,128
1
Scotland
Just thought i would share this with you guys, it took me quite a bit to work out how accomplish this without breaking MVC and stuff.

This is a .htaccess rewrite for changing between http:// and https:// and back again on a page specific basis.

In this example the secured pages are checkout and process. These can be any pages you want an any number of pages in the format "page1|page2|page3".

Just a little note for novices "^checkout|process" means for these pages, "!^checkout|proces" with the ! means not for these pages.

Code: 
# Rewrites
RewriteEngine On

# domain.com to www.domain.com
RewriteCond %{HTTP_HOST} !^www\.domain\.com [NC]
RewriteRule ^(.*) http://www. domain\.com/$1 [L,R=301]

# https to http for all other pages i.e. pages that don't need to be secure
RewriteCond %{HTTPS} = on
RewriteCond %{ENV:REDIRECT_STATUS} = ""
RewriteRule !^checkout|process(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Secure pages
RewriteCond %{HTTPS} != on
RewriteCond %{ENV:REDIRECT_STATUS} = ""
RewriteRule ^checkout|process(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ public/index.php?rt=$1 [QSA,L]
 
...for changing between http:// and https:// and back again on a page specific basis...
Click to expand...

Thanks much for posting the cool solution. :D

One question -- why would it be necessary to switch back and forth on (which it take to mean 'within') a page? Ajax action and internal redirect?
 
SrWebDeveloper said:
Thanks much for posting the cool solution. :D

One question -- why would it be necessary to switch back and forth on (which it take to mean 'within') a page? Ajax action and internal redirect?
Click to expand...

Senario 1
breif
Not within a page though i assume it would work.
Right say you have a eshop and you have a products page and a checkout page, now the only page that needs a ssl cert would be the checkout. So you shove in all your google anyalytics and marketing crap in the products pages with your standard http requests but your checkout page needs to be secured with ssl.

So with this solution the user is directed to the secure page only for the checkout actions, so the user gets a secured page then right back to the http pages once the order is complete or if the user does not want to continue the checkout they can just hit there back button and bam nothing has changed https is off the user can happily get on with browsing your site.

Use case 1
home page (http)
products (http)
checkout (https)
process - with paypal etc (https)
success (http)

Use case 2
home page (http)
products (http)
checkout (https)
- user decides to add something to the order or read up more
products (http)

Senario 2
A user login using https encryption.

Use Case
Another scenario would be.
User enters page (http)
User goes to login (https)
User goes to welcome page (http)
 
One thing to watch out for though, is that any sensitive/private information you store while on the SSL pages, should not persist once back at the non-SSL pages, such as any credit card information that was stored in a session cookie. That could get tricky if the user uses their back button after entering a SSL zone and entering some private info.
 
angelwatt said:
One thing to watch out for though, is that any sensitive/private information you store while on the SSL pages, should not persist once back at the non-SSL pages, such as any credit card information that was stored in a session cookie. That could get tricky if the user uses their back button after entering a SSL zone and entering some private info.
Click to expand...

Mmm i store personal info in _POST then in _SESSION once its flying about, I never store the credit card info, if the user gets it wrong they need to enter the credit card details again.
 
Hope you all like it, and i used to use all sorts of redirects in the code with php and html but its messy and hard to maintain that way.

This method works for both MVC frameworks like Ruby on Rails/Zend/Cabbit and equally well on flat file applications.

It treats http://www.mysite.com/checkout/ (Checkout being a psuduo url index.php?route=/checkout/ or a folder) the same as http://www.mysite.com/checkout.html. Which is one of the things it needed to do in order to be portable.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back