SSL Secure Pages

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

SSL Secure Pages

Post by onion2k »

When you have sections in a website that need to be under an SSL cert, do you:

1. Make every link to the section an absolute link to https://www.domain.com/page.php, and every link out again to http://www.domain.com/page.php

or

2. Put a bit of code in the top of the SSL pages to redirect to themselves under an https link if they're not in secure mode

Previously I've just linked to the https:// page and not worried about it if the users go to non-secure pages in secure mode after that. But I'm thinking thats lazy and bad practise..
faswad
Forum Newbie
Posts: 5
Joined: Tue May 31, 2005 6:39 pm

Post by faswad »

Absolute links will not be enough. If a user types the link manually without the "s" in https, then they may be able to access the page without ssl.

I add code to the top of every page I need secure which checks whether the user is to the page via ssl or not (using ports) and re-routes the user to the secure page if need be.

You can also define certain directories to be secure by default. Therefore any calls to pages in these directories will be routed via a secure port (ex. 443). This would be setup in your http server.

fred
R0d Longfella
Forum Newbie
Posts: 20
Joined: Fri Apr 08, 2005 7:17 am

Post by R0d Longfella »

Perhaps this is already obvious, but if you use relative links and let the pages redirect to themselves (to make sure the connection is via https), then the sensitive information is still send unsecurely at least once, to access the page which redirects. Sorry/
faswad
Forum Newbie
Posts: 5
Joined: Tue May 31, 2005 6:39 pm

Post by faswad »

R0d Longfella wrote:Perhaps this is already obvious, but if you use relative links and let the pages redirect to themselves (to make sure the connection is via https), then the sensitive information is still send unsecurely at least once, to access the page which redirects. Sorry/

hmm... at least in my example, i am protecting the information that the user input. the user will not have a chance to input any data before the page redirects itself to a secure version. thus by the time the user inputs data and submits it, the user has already moved to a secure page.

or am i missing something?
R0d Longfella
Forum Newbie
Posts: 20
Joined: Fri Apr 08, 2005 7:17 am

Post by R0d Longfella »

No you didn't mis a thing. Just making sure you redirect before any "sensitive" data is being send.
faswad
Forum Newbie
Posts: 5
Joined: Tue May 31, 2005 6:39 pm

Post by faswad »

R0d Longfella wrote:No you didn't mis a thing. Just making sure you redirect before any "sensitive" data is being send.
thanks for heads up. Actually after your post i did some research, and i've changed some things on my website. instead of redirecting using PHP, i'm now redirecting using .htaccess (RewriteEngine). I do belive this technique is more secure.
Post Reply