HTTPS check using 'HTTPS' _SERVER key


#1

git diff 9f7bd151c6623397e35661200ff3f7aa8b3850d8 1003cb24b99aa72f0d37c93ede4053f9d65849cf

b/include/functions.php
if ($_SERVER[‘HTTPS’] == “on”) {
b/include/sanity_check.php
$proto = ($_SERVER[‘HTTPS’] == 'on’
if ($_SERVER[‘HTTPS’] &&
…etc

May be will be correct (!empty($_SERVER[‘HTTPS’]) && $_SERVER[‘HTTPS’]!= ‘off’) ?

http://php.net/manual/en/reserved.variables.server.php
Set to a non-empty value if the script was queried through the HTTPS protocol.
Note: Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.

And sometimes I have seen that fastcgi param HTTPS=’’ (empty string) as correct non-https value

https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/
fastcgi_param HTTPS $https;


‘HTTPS’ => ‘’,

Also in my practice, I have seen ‘ON’ several times.


#2

this sounds like a good idea, can you file a PR for it?


#3

Oops, sorry, I’m not developer :frowning: I dont know how to do it.
I can make diff:

$ git diff 9fa3ae09a6fe791805ee63e87fcac970e3f037ed
diff --git a/include/functions.php b/include/functions.php
index ad6f2689..ba5a699b 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -1782,7 +1782,7 @@
        }
 
        function is_server_https() {
-               return $_SERVER['HTTPS'] == 'on' || $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https';
+               return (!empty($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] != 'off')) || $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https';
        }
 
        function is_prefix_https() {
diff --git a/include/sessions.php b/include/sessions.php
index 0690ab7e..3d6e6e2c 100644
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -12,7 +12,7 @@
        $session_expire = min(2147483647 - time() - 1, max(SESSION_COOKIE_LIFETIME, 86400));
        $session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME;
 
-       if (@$_SERVER['HTTPS'] == "on") {
+       if ((!empty($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] != 'off')) || @$_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
                $session_name .= "_ssl";
                ini_set("session.cookie_secure", true);
        }
diff --git a/install/index.php b/install/index.php
index 4239f589..88357300 100755
--- a/install/index.php
+++ b/install/index.php
@@ -180,7 +180,7 @@
        }
 
        function is_server_https() {
-               return $_SERVER['HTTPS'] == 'on' || $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https';
+               return (!empty($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] != 'off')) || $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https';
        }
 
        function make_self_url_path() {

#4

https://git.tt-rss.org/git/tt-rss/pulls/3


#5

not a developer
can do diffs

choose one :slight_smile:


#6

hrmph, I’m a sysadmin, not a developer, but I have been using and making diffs for 25+ years.