Site d’origine :

Ajouter aux fichier : index.php

# Add to redirect to HTTPS if(!isset($_SERVER[‘HTTPS’]) || $_SERVER[‘HTTPS’] == "" || $_SERVER[‘HTTPS’] == “off”){     $redirect = “https://”.$_SERVER[‘HTTP_HOST’].$_SERVER[‘REQUEST_URI’];     header(“Location: $redirect”);     exit; }

If you allow them to post to /login.php over plain HTTP and then redirect to HTTPS, you defeat the purpose of using HTTPS because the login information has already been sent in plain text over the internet.

What you could do to prevent the user from changing the URL, is make it so the login page rejects the login if it is not over HTTPS.

What I use to check for the use of HTTPS is the following:

if (!isset($_SERVER['HTTPS']) || !$_SERVER['HTTPS']) {     // request is not using SSL, redirect to https, or fail }

If you are running your secure server on the default port of 443, then you can also check to see if that is the port, but PHP sets the $_SERVER['HTTPS'] value to non-empty if SSL is used so I would check for the presence of that for best practice.


If the user is so included to manually change the https to http and want to send their information over plain text, there isn’t anything you can do to stop them, but if you disallow login over HTTP, so even the correct information will not log them in, you can force them to use https by making it the only thing that works.