When you have sections in a website that need to be under an SSL cert, do you:
1. Make every link to the section an absolute link to https://www.domain.com/page.php, and every link out again to http://www.domain.com/page.php
or
2. Put a bit of code in the top of the SSL pages to redirect to themselves under an https link if they're not in secure mode
Previously I've just linked to the https:// page and not worried about it if the users go to non-secure pages in secure mode after that. But I'm thinking thats lazy and bad practise..
SSL Secure Pages
Moderator: General Moderators
Absolute links will not be enough. If a user types the link manually without the "s" in https, then they may be able to access the page without ssl.
I add code to the top of every page I need secure which checks whether the user is to the page via ssl or not (using ports) and re-routes the user to the secure page if need be.
You can also define certain directories to be secure by default. Therefore any calls to pages in these directories will be routed via a secure port (ex. 443). This would be setup in your http server.
fred
I add code to the top of every page I need secure which checks whether the user is to the page via ssl or not (using ports) and re-routes the user to the secure page if need be.
You can also define certain directories to be secure by default. Therefore any calls to pages in these directories will be routed via a secure port (ex. 443). This would be setup in your http server.
fred
-
R0d Longfella
- Forum Newbie
- Posts: 20
- Joined: Fri Apr 08, 2005 7:17 am
R0d Longfella wrote:Perhaps this is already obvious, but if you use relative links and let the pages redirect to themselves (to make sure the connection is via https), then the sensitive information is still send unsecurely at least once, to access the page which redirects. Sorry/
hmm... at least in my example, i am protecting the information that the user input. the user will not have a chance to input any data before the page redirects itself to a secure version. thus by the time the user inputs data and submits it, the user has already moved to a secure page.
or am i missing something?
-
R0d Longfella
- Forum Newbie
- Posts: 20
- Joined: Fri Apr 08, 2005 7:17 am
thanks for heads up. Actually after your post i did some research, and i've changed some things on my website. instead of redirecting using PHP, i'm now redirecting using .htaccess (RewriteEngine). I do belive this technique is more secure.R0d Longfella wrote:No you didn't mis a thing. Just making sure you redirect before any "sensitive" data is being send.