"Force SSL" works, how about "un-force" SSL?

I’m pulling together the last few puzzle pieces of a new membership site and my first experience working with S2Member. All in all, I’ve been very pleased. I’ve just run into this one issue where we have several “s2member_force_ssl” custom fields set (to “yes”), but need a way to “un force” SSL when a visitor leaves one of these https pages. We have some various htaccess rewrite rules in place that don’t kick us back to http:// (because there’s no absolute link)…so various pages that get visited (after an SSL page) end up looking partially encrypted and seem like something is wrong. I just need a way to explicitly state that a page should be “http://” unless it is specifically set to be “https://” with the “s2member_force_ssl” custom field. Make sense? Anyone else ever run into something like this? Maybe some sort of header conditional that sniffs for the URL parameter (the one that forcess SSL) and if it doesn’t find it, forces “http://”…maybe there’s something easier?

Any help would be greatly appreciated.

Thanks! Ross

Hi Ross,

The problem you’re having isn’t something that can easily be controlled from the server-side, as it’s the browsers that detect the base URL for relative anchors (e.g., <a href="/contact/"></a> will link to https://example.com/contact/ or http://example.com/contact/ depending on which prefix was used when the page was loaded).

I wrote a short primer explaining how all this works in the old forum:
http://www.primothemes.com/forums/viewtopic.php?f=4&t=16666&p=59690&#p59690

I can understand your frustration, as I’ve had to work around the same issue on my own site. What I did was make sure that the user was only presented with HTTPS links while they were logged in. Once they logout, they’re redirected to a non-HTTPS page and from then on all links they see remain non-HTTPS.

For any pages that use the s2member_force_ssl custom field, I made sure those pages were only available when the user is logged in or that any URLs on those pages point to HTTPS URLs where I’ve fixed any mixed-content issues. (I’ve found that other WordPress plugins are notorious for including scripts with non-HTTPS URLs that cause the mixed content issues.)

Hmm…yeah….darnit. Seems like this should be easier eh? Before spending too much time trying to reinvent this wheel and as much as I hate adding another plugin, I decided to try using “WordPress HTTPS”. I’d used this particular plugin in the past and remembered that it had an option to do just what I was talking about (UN-force SSL)….I just couldn’t remember how the “flag” was set. Turns out it is really similar to S2Member and just puts a custom field of “force_ssl” to the particular page/post. If the option of “Force SSL Exclusively” is checked, and that custom field is NOT present, the page redirects back to HTTP. Done. Unless I missed something, this seems like a really easy solution that seems to work fine with both S2Member and the Gravity Forms pages I’ve built that need SSL.

Thank you for sharing that info, Tony! That plugin definitely sounds useful for anyone else in the same scenario. :)