How Can I Reliably Determine HTTPS Connection Status Without Using $_SERVER['HTTPS']?

Determining HTTPS Connection Status Without $_SERVER['HTTPS']

When attempting to ascertain the security of a server connection using $_SERVER['HTTPS'], you may encounter scenarios where the variable is undefined, leading to errors. To overcome this, consider an alternative solution that consistently yields reliable results.

Enhanced Code for HTTPS Detection

To determine the connection status without relying on $_SERVER['HTTPS'], implement the following code:

function isSecure() {
  return
    (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
    || $_SERVER['SERVER_PORT'] == 443;
}

Compatibility and Considerations

This code exhibits compatibility with various server configurations, including IIS.

According to PHP.net documentation and user feedback:

• If the script is accessed via HTTPS, $_SERVER['HTTPS'] will contain a non-empty value.
• For IIS with ISAPI, $_SERVER['HTTPS'] may be set to "off" during non-HTTPS connections.
• Apache 1.x servers may not define $_SERVER['HTTPS'] even for secure connections.

Additional Points

• Connections established on port 443 typically indicate secure sockets. However, this is only a convention, not a guarantee.
• If a load balancer exists between the client and the server, the code will not assess the client-to-load balancer connection, but rather the load balancer-to-server connection. To evaluate the former, consider using the HTTP_X_FORWARDED_PROTO header, though this method entails greater complexity.

The above is the detailed content of How Can I Reliably Determine HTTPS Connection Status Without Using $_SERVER['HTTPS']?. For more information, please follow other related articles on the PHP Chinese website!