HTTP to HTTPS and back solution

Discussion in 'Web Design and Development' started by Cabbit, Jun 7, 2010.

  1. Cabbit macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #1
    Just thought i would share this with you guys, it took me quite a bit to work out how accomplish this without breaking MVC and stuff.

    This is a .htaccess rewrite for changing between http:// and https:// and back again on a page specific basis.

    In this example the secured pages are checkout and process. These can be any pages you want an any number of pages in the format "page1|page2|page3".

    Just a little note for novices "^checkout|process" means for these pages, "!^checkout|proces" with the ! means not for these pages.

    Code:
    # Rewrites
    RewriteEngine On
    
    # domain.com to www.domain.com
    RewriteCond %{HTTP_HOST} !^www\.domain\.com [NC]
    RewriteRule ^(.*) http://www. domain\.com/$1 [L,R=301]
    
    # https to http for all other pages i.e. pages that don't need to be secure
    RewriteCond %{HTTPS} = on
    RewriteCond %{ENV:REDIRECT_STATUS} = ""
    RewriteRule !^checkout|process(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    
    # Secure pages
    RewriteCond %{HTTPS} != on
    RewriteCond %{ENV:REDIRECT_STATUS} = ""
    RewriteRule ^checkout|process(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ public/index.php?rt=$1 [QSA,L]
    
     
  2. SrWebDeveloper macrumors 68000

    SrWebDeveloper

    Joined:
    Dec 7, 2007
    Location:
    Alexandria, VA, USA
    #2
    Thanks much for posting the cool solution. :D

    One question -- why would it be necessary to switch back and forth on (which it take to mean 'within') a page? Ajax action and internal redirect?
     
  3. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #3
    Senario 1
    breif
    Not within a page though i assume it would work.
    Right say you have a eshop and you have a products page and a checkout page, now the only page that needs a ssl cert would be the checkout. So you shove in all your google anyalytics and marketing crap in the products pages with your standard http requests but your checkout page needs to be secured with ssl.

    So with this solution the user is directed to the secure page only for the checkout actions, so the user gets a secured page then right back to the http pages once the order is complete or if the user does not want to continue the checkout they can just hit there back button and bam nothing has changed https is off the user can happily get on with browsing your site.

    Use case 1
    home page (http)
    products (http)
    checkout (https)
    process - with paypal etc (https)
    success (http)

    Use case 2
    home page (http)
    products (http)
    checkout (https)
    - user decides to add something to the order or read up more
    products (http)

    Senario 2
    A user login using https encryption.

    Use Case
    Another scenario would be.
    User enters page (http)
    User goes to login (https)
    User goes to welcome page (http)
     
  4. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #5
    One thing to watch out for though, is that any sensitive/private information you store while on the SSL pages, should not persist once back at the non-SSL pages, such as any credit card information that was stored in a session cookie. That could get tricky if the user uses their back button after entering a SSL zone and entering some private info.
     
  5. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #6
    Mmm i store personal info in _POST then in _SESSION once its flying about, I never store the credit card info, if the user gets it wrong they need to enter the credit card details again.
     
  6. ChicoWeb macrumors 65816

    ChicoWeb

    Joined:
    Aug 16, 2004
    Location:
    California
    #7
    I've never thought of doing it done .htaccess... We typically use headers. Nice work though.
     
  7. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #8
    Hope you all like it, and i used to use all sorts of redirects in the code with php and html but its messy and hard to maintain that way.

    This method works for both MVC frameworks like Ruby on Rails/Zend/Cabbit and equally well on flat file applications.

    It treats http://www.mysite.com/checkout/ (Checkout being a psuduo url index.php?route=/checkout/ or a folder) the same as http://www.mysite.com/checkout.html. Which is one of the things it needed to do in order to be portable.
     

Share This Page