Hi, me newbie here.
So I am working on this website. It has to be dinamic, so it php-mysql combo.
It will have: genereal area, register, login, members area.
Now the thing is at least one part of the members area will have certain data that may best be secure.
So I was thinking that for that area I need to make it secure. The catch is, what if "they" get the username/password? ->access to the need to be secure area. Thinking about this I realised I need to go secure about the register part and the login part.
I have no experience with this whatsoever.
If I make everything secure, except the general area, how will this affect everything? - hardware requirement, bandwith requirement, etc.
Any help, links, whatever you can think about is more than welcomed.
Oh, almost forgot, thinking about 10.000 clicks a month (be it unique or not).
Regards, B
php dinamic website > http and https
Moderator: General Moderators
Re: php dinamic website > http and https
10,000 page impressions/month is a very small site. Any hosting account will cope easily even if the entire thing is under SSL. It won't affect bandwidth usage at all.bogdan wrote:If I make everything secure, except the general area, how will this affect everything? - hardware requirement, bandwith requirement, etc.
Any help, links, whatever you can think about is more than welcomed.
Oh, almost forgot, thinking about 10.000 clicks a month (be it unique or not).
Number one rule, think about scalability when designing code, even for a small project, because if
it is popular and does grow, you need to ensure your code has been written to handle the demand.
This rule applies to not making every made SSL.....
I developed carp.com, 35000 members and growing 1000 a month, 10,000,000 pages a month.
It's easy to make to switch between SSL (port 443) and Non SSL (port 80) pages.
In a common include file, included by all pages, i put the following line of code:
Then the following lines of code:
Then i explicitly code all URL's in the HTML for images, page calls to include (for SSL pages):
If $USE_HTTPS is true, then the URL on the page call will be: https://www.mydomain.com/login.php
If $USE_HTTPS is false, then the URL on the page call will be: http://www.mydomain.com/login.php
Also, to stop browser warnings with secure and insecure items on pages, make sure even images (all objects)
on SSL (https) pages are called will absolute reference like :
The rule is, set $USE_HTTPS and use absolute Fully Qualified URLs prefixed with $HTTPS_HOST_NAME
for calls to secured pages and the objects within the page to stop the warnings.
If you are testing on windows and you don't have SSL, just set the $USE_HTTPS to false.
If you want to disable SSL on your site, then set $USE_HTTPS to false and all calls will then be http://...
I use $HTTP_HOST_NAME for all no SSL pages to keep consistency and also, if someone had the
idea of trying to invoke your non SSL page by modifying the URL by changing the http to https, it won't
remain in that state on the next page call.
I put defensive code in to stop this by adding the following to the top of every page i don't
want to be SSL.
Only protect pages with ($SHTTP_HOST_NAME) data you need to secure, for the rest prefix with $HTTP_HOST_NAME
it is popular and does grow, you need to ensure your code has been written to handle the demand.
This rule applies to not making every made SSL.....
I developed carp.com, 35000 members and growing 1000 a month, 10,000,000 pages a month.
It's easy to make to switch between SSL (port 443) and Non SSL (port 80) pages.
In a common include file, included by all pages, i put the following line of code:
Code: Select all
$USE_HTTPS = true; // I set this to true if SSL has been included or false if it hasn't.Code: Select all
$HTTP_HOST_NAME = 'http://' . trim( $_SERVER['HTTP_HOST'] );
$HTTPS_HOST_NAME = ( $USE_HTTPS ) ? 'https://' . trim( $_SERVER['HTTP_HOST'] ) : 'http://' . trim( $_SERVER['HTTP_HOST'] );Code: Select all
<a href="<?php echo $HTTPS_HOST_NAME; ?>/login.php">Login</a>If $USE_HTTPS is false, then the URL on the page call will be: http://www.mydomain.com/login.php
Also, to stop browser warnings with secure and insecure items on pages, make sure even images (all objects)
on SSL (https) pages are called will absolute reference like :
Code: Select all
<img src="<?php echo $HTTPS_HOST_NAME; ?>/images/mylogo.jpg" border="0">for calls to secured pages and the objects within the page to stop the warnings.
If you are testing on windows and you don't have SSL, just set the $USE_HTTPS to false.
If you want to disable SSL on your site, then set $USE_HTTPS to false and all calls will then be http://...
I use $HTTP_HOST_NAME for all no SSL pages to keep consistency and also, if someone had the
idea of trying to invoke your non SSL page by modifying the URL by changing the http to https, it won't
remain in that state on the next page call.
I put defensive code in to stop this by adding the following to the top of every page i don't
want to be SSL.
Code: Select all
if ( isset( $_SERVER['HTTPS'] ) ) {
header( "Location: http://${_SERVER['HTTP_HOST']}${_SERVER['REQUEST_URI']}" );
exit;
}Only protect pages with ($SHTTP_HOST_NAME) data you need to secure, for the rest prefix with $HTTP_HOST_NAME
I don't do fishing... not my thing.. i did it for a friend.... i've got my own stuffonion2k wrote:Ooo.. a rival! I developed http://www.waderson.com ..nezza wrote:I developed carp.com..
to do now.