Can I build a php website then get SSL

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
thomas49th
Forum Newbie
Posts: 11
Joined: Wed Aug 04, 2010 4:29 pm

Can I build a php website then get SSL

Post by thomas49th »

Hi, I wish to use SSL to prevent eavesdropping on my website. Can I develop my whole website without worrying about SSL yet then when it's finished simply purchase a SSL ticket and away I go? Or do I have to design with SSL functionality in mind?

Thanks
Thomas
thomas49th
Forum Newbie
Posts: 11
Joined: Wed Aug 04, 2010 4:29 pm

Re: Can I build a php website then get SSL

Post by thomas49th »

Sorry that was a little vague

Try this:

does SSL simply just not work over the top of the website?? I have little idea how it is to be implemented. I am concerned that because I'm writing a piece of software which interfaces with php scripts. So for logining in I send http://mysite.com/login.php?username=tom&password=test
then the php scripts connects to the mysql database and responds with yes or no. My software needs to send the username and password in encrypted form so noone can eavesdrop. Is getting an SSL certificate the right way to go. For testing purposes I was thinking of getting a certificate from startsll.com before maybe purchasing a real one later on.

My website runs C Panel, where there is a section of SSL/TLS management.

Sorry I am new to all of this.

Thanks
Thomas
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Can I build a php website then get SSL

Post by timWebUK »

You really shouldn't be sending a username and password via GET.

i.e.

.php?username=tim&password=test

Use POST. Send the data in the background - be sure to hash the password at the other end before you store it. Please search the forum for more details on this subject, there are plenty of resources.

Remember security is a large subject of many layers, don't just rely on one method or technology. Make SSL/TLS an additional lock the door.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Can I build a php website then get SSL

Post by Mordred »

To answer the original question: yes, you can fully develop the site, then use SSL for parts or the whole site. The only difference is that SSL links would start with https. Also, read up on "secure" flag for cookies and use it on your login tokens.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Can I build a php website then get SSL

Post by flying_circus »

Mordred wrote:To answer the original question: yes, you can fully develop the site, then use SSL for parts or the whole site. The only difference is that SSL links would start with https. Also, read up on "secure" flag for cookies and use it on your login tokens.
Mordred,

Can we rely on the secure flag now? I didnt think it was supported on all browsers (though, I suppose thats not an excuse to refrain from implementing it).
Post Reply