Reliability of using meta refresh to switch to https

bunner_bob

I'm currently including the following code into each page of a site, preceded by a "$page_secure" flag when that particular page is supposed to be secure:

$secure_url_prefix = 'https://www.site.com/';
$nonsecure_url_prefix = 'http://www.site.com/';

if (empty($page_secure) && isset($_SERVER['HTTPS']))
{

// If this page is NOT supposed to be secure, but URL currently is, auto-refresh out of it

$refresh_url = $nonsecure_url_prefix . $_SERVER['REQUEST_URI'];
$page->set('refresh', '<meta http-equiv="refresh" content="0;URL=' . $refresh_url . '" />');
}
elseif (!empty($page_secure) && !isset($_SERVER['HTTPS']) && empty($staging_server))
{

// If this page is SUPPOSED to be secure, but URL currently is NOT, auto-refresh into Secure
// But NOT if this is the staging server

$refresh_url = $secure_url_prefix . $_SERVER['REQUEST_URI'];
$page->set('refresh', '<meta http-equiv="refresh" content="0;URL=' . $refresh_url . '" />');
}

Is this a good way of forcing the page to be secure, or nonsecure, or is there a better or more reliable way of doing it?

I recall hearing somewhere that meta refresh is not the most reliable way of redirecting a user - perhaps because the user can disable something in the browser - I don't know why actually, but just looking to be more secure and reliable, and do things the best way.

redrage

I like to use header when ever i can.

header("Location: $url_to_page");

it seems to be quicker than meta tags. You just need to be sure you do not send anyother headers before. (any cookies or echos and such).

MarkR

Personally I'd do a few things:

Use "Location:" for redirects, as suggested by redrage
Check the request method; if it's a POST which has been sent using the wrong protocol (HTTP rather than HTTPS), throw a loud error as this indicates a security bug that you want to pick up as early as possible. You can't redirect POSTs anyway (at least not preserving the posted data)

Mark