Page 1 of 1
SSL Secure Pages
Posted: Fri May 20, 2005 4:03 am
by onion2k
When you have sections in a website that need to be under an SSL cert, do you:
1. Make every link to the section an absolute link to
https://www.domain.com/page.php, and every link out again to
http://www.domain.com/page.php
or
2. Put a bit of code in the top of the SSL pages to redirect to themselves under an https link if they're not in secure mode
Previously I've just linked to the https:// page and not worried about it if the users go to non-secure pages in secure mode after that. But I'm thinking thats lazy and bad practise..
Posted: Tue May 31, 2005 6:44 pm
by faswad
Absolute links will not be enough. If a user types the link manually without the "s" in https, then they may be able to access the page without ssl.
I add code to the top of every page I need secure which checks whether the user is to the page via ssl or not (using ports) and re-routes the user to the secure page if need be.
You can also define certain directories to be secure by default. Therefore any calls to pages in these directories will be routed via a secure port (ex. 443). This would be setup in your http server.
fred
Posted: Wed Jun 01, 2005 6:51 am
by R0d Longfella
Perhaps this is already obvious, but if you use relative links and let the pages redirect to themselves (to make sure the connection is via https), then the sensitive information is still send unsecurely at least once, to access the page which redirects. Sorry/
Posted: Wed Jun 01, 2005 6:50 pm
by faswad
R0d Longfella wrote:Perhaps this is already obvious, but if you use relative links and let the pages redirect to themselves (to make sure the connection is via https), then the sensitive information is still send unsecurely at least once, to access the page which redirects. Sorry/
hmm... at least in my example, i am protecting the information that the user input. the user will not have a chance to input any data before the page redirects itself to a secure version. thus by the time the user inputs data and submits it, the user has already moved to a secure page.
or am i missing something?
Posted: Fri Jun 03, 2005 12:05 pm
by R0d Longfella
No you didn't mis a thing. Just making sure you redirect before any "sensitive" data is being send.
Posted: Fri Jun 03, 2005 12:43 pm
by faswad
R0d Longfella wrote:No you didn't mis a thing. Just making sure you redirect before any "sensitive" data is being send.
thanks for heads up. Actually after your post i did some research, and i've changed some things on my website. instead of redirecting using PHP, i'm now redirecting using .htaccess (RewriteEngine). I do belive this technique is more secure.