Here’s a generic .htaccess
excerpt that you can use to redirect users to the SSL-enabled version of the page they requested. Just drop it into any directory you want to enforce security on, and you’re done (no modification necessary).
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
The code is simple. The middle line checks to see if HTTPS is enabled (the “HTTPS” variable is set internally by apache on all HTTPS connections). The last line tells the client to re-request the exact same page with SSL.
Note that in the interest of security, you want to make sure that you never send “secret” information to a non-HTTPS URL, even if that request will get eventually redirected to a secure channel. This is because when the client requests the original insecure URL, all of the visitor’s “secret” information gets transmitted unencrypted before the server responds telling him to re-request the page securely.
After the session goes secure it generally stays so, making it safe to send sensitive data around. But just make sure that the security goes into place before any secrets go across the wire–not just before you read the secrets, but also before visitor sends them.