Forcing removal of https to http from secure area

Discussion in 'Security' started by JWRmedia, Nov 13, 2008.

  1. #1
    I have only one directory on my site I want to force https for, and this code is working great:

    
    RewriteEngine on
      RewriteCond %{SERVER_PORT} !443
      RewriteRule ^(.*)$ https://www.mydomain.com/secure/$1 [R=301,L]
    
    Code (markup):
    The only thing I cant get to work is if the visitor browses OUTSIDE of the /secure folder, to force the removal of https back to http.

    Here's what I have now, but it is not working:

    
    RewriteCond %{SERVER_PORT} ^443$
    RewriteCond !^/(secure) [NC]
    RewriteRule .? http://www.mydomain.com%{REQUEST_URI} [R,L] 
    
    Code (markup):
    Any suggestions as to what else may work?

    Thanks
     
    JWRmedia, Nov 13, 2008 IP
  2. JWRmedia

    JWRmedia Banned

    Messages:
    499
    Likes Received:
    35
    Best Answers:
    0
    Trophy Points:
    0
    #2
    UPDATE: Found a fix, thought I'd share with everyone.

    I placed this in the htaccess file in the home directory:

    (Forces entire site to be viewed in http)
    
    RewriteEngine On
    RewriteCond %{HTTPS} on
    RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
    
    Code (markup):
    Then, in the directory I want to force https on, I created an htaccess file in that directory and inserted:

    (Forces https for all pages- remember this is placed in the directory you want to force https in, not the home folder)
    
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    
    Code (markup):
    I dont think it could get much simpler than that and it works great for me! I think its better too because it doesn't specify a specific port # in case people behind certain firewalls/etc. prefer to use different port #'s, or if your particular host uses a different port #.
     
    JWRmedia, Nov 13, 2008 IP