php dinamic website > http and https

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
bogdan
Forum Commoner
Posts: 27
Joined: Wed May 31, 2006 10:07 am
Location: Timisoara, Ro

php dinamic website > http and https

Post by bogdan »

Hi, me newbie here.

So I am working on this website. It has to be dinamic, so it php-mysql combo.
It will have: genereal area, register, login, members area.
Now the thing is at least one part of the members area will have certain data that may best be secure.

So I was thinking that for that area I need to make it secure. The catch is, what if "they" get the username/password? ->access to the need to be secure area. Thinking about this I realised I need to go secure about the register part and the login part.

I have no experience with this whatsoever.

If I make everything secure, except the general area, how will this affect everything? - hardware requirement, bandwith requirement, etc.

Any help, links, whatever you can think about is more than welcomed.

Oh, almost forgot, thinking about 10.000 clicks a month (be it unique or not).

Regards, B
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: php dinamic website > http and https

Post by onion2k »

bogdan wrote:If I make everything secure, except the general area, how will this affect everything? - hardware requirement, bandwith requirement, etc.
Any help, links, whatever you can think about is more than welcomed.
Oh, almost forgot, thinking about 10.000 clicks a month (be it unique or not).
10,000 page impressions/month is a very small site. Any hosting account will cope easily even if the entire thing is under SSL. It won't affect bandwidth usage at all.
bogdan
Forum Commoner
Posts: 27
Joined: Wed May 31, 2006 10:07 am
Location: Timisoara, Ro

Post by bogdan »

So making it secure is the best way to go about it ?
I'm not expecting more than 10000 because it's a specific thing, a niche so to speack area.

Thank you , B - help is very much appreciated (I may be a typoer... sorry)
nezza
Forum Newbie
Posts: 3
Joined: Wed Jul 05, 2006 3:46 am

Post by nezza »

Number one rule, think about scalability when designing code, even for a small project, because if
it is popular and does grow, you need to ensure your code has been written to handle the demand.

This rule applies to not making every made SSL.....

I developed carp.com, 35000 members and growing 1000 a month, 10,000,000 pages a month.

It's easy to make to switch between SSL (port 443) and Non SSL (port 80) pages.

In a common include file, included by all pages, i put the following line of code:

Code: Select all

$USE_HTTPS = true;    // I set this to true if SSL has been included or false if it hasn't.
Then the following lines of code:

Code: Select all

$HTTP_HOST_NAME = 'http://' . trim( $_SERVER['HTTP_HOST'] );
$HTTPS_HOST_NAME = ( $USE_HTTPS ) ? 'https://' . trim( $_SERVER['HTTP_HOST'] ) : 'http://' . trim( $_SERVER['HTTP_HOST'] );
Then i explicitly code all URL's in the HTML for images, page calls to include (for SSL pages):

Code: Select all

<a href="<?php echo $HTTPS_HOST_NAME; ?>/login.php">Login</a>
If $USE_HTTPS is true, then the URL on the page call will be: https://www.mydomain.com/login.php
If $USE_HTTPS is false, then the URL on the page call will be: http://www.mydomain.com/login.php

Also, to stop browser warnings with secure and insecure items on pages, make sure even images (all objects)
on SSL (https) pages are called will absolute reference like :

Code: Select all

<img src="<?php echo $HTTPS_HOST_NAME; ?>/images/mylogo.jpg" border="0">
The rule is, set $USE_HTTPS and use absolute Fully Qualified URLs prefixed with $HTTPS_HOST_NAME
for calls to secured pages and the objects within the page to stop the warnings.
If you are testing on windows and you don't have SSL, just set the $USE_HTTPS to false.

If you want to disable SSL on your site, then set $USE_HTTPS to false and all calls will then be http://...

I use $HTTP_HOST_NAME for all no SSL pages to keep consistency and also, if someone had the
idea of trying to invoke your non SSL page by modifying the URL by changing the http to https, it won't
remain in that state on the next page call.

I put defensive code in to stop this by adding the following to the top of every page i don't
want to be SSL.

Code: Select all

if ( isset( $_SERVER['HTTPS'] ) ) {
   header( "Location: http://${_SERVER['HTTP_HOST']}${_SERVER['REQUEST_URI']}" );
   exit;
}

Only protect pages with ($SHTTP_HOST_NAME) data you need to secure, for the rest prefix with $HTTP_HOST_NAME
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

nezza wrote:I developed carp.com..
Ooo.. a rival! I developed http://www.waderson.com .. :)
nezza
Forum Newbie
Posts: 3
Joined: Wed Jul 05, 2006 3:46 am

Post by nezza »

onion2k wrote:
nezza wrote:I developed carp.com..
Ooo.. a rival! I developed http://www.waderson.com .. :)
I don't do fishing... not my thing.. i did it for a friend.... i've got my own stuff
to do now.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

nezza wrote:I don't do fishing... not my thing.. i did it for a friend.... i've got my own stuff
to do now.
I don't fish either .. I just wrote the site.
Post Reply