Hi, i want to implement ssl redirection in login pages of my websites, Example: i have a page http://www.example.com/login
you are on this page and have to put login and password to login, i want when i put user and password to login at the time of submit it it should redirect to https and after when page is logged in it should go back to http in address bar, like we see in hotmail.com we put user id password and when click on sign in it shows its signing in through https in address bar and then it returns back to http in address bar with next logged in page,
any help??? and please also tell me what should be my ssl https setting in httpd.conf and ssl config i have dedicated server Centos with cpanel. SSL certificate is installed for http://www.example.com.
Please if anyone can tell me in step bystep and in details.
i m using php as coding.
Thanks
php and ssl
Moderator: General Moderators
- mecha_godzilla
- Forum Contributor
- Posts: 375
- Joined: Wed Apr 14, 2010 4:45 pm
- Location: UK
Re: php and ssl
Hi,
I'll answer the easiest bit first - you could try this bit of code to redirect from the http:// to https:// version of your site:
You could also explode the URL as well I guess.
I usually put this code on the index page to make sure that visitors can't log-in insecurely. Once they've passed the log-in test then you can just redirect to the http:// version. Is there any reason for switching back to an insecure connection again though? I know lots of sites do this but it seems a bit odd because everything (including my emails!) is being sent in the clear and there's obviously a lot more traffic to snoop.
If you want to change things so that users can only connect securely you might also want to make sure that cookies are only being sent when people are on the secure section of the site - this would require you to edit the php.ini file (or override it with a directive if you don't have access to it.)
HTH,
Mecha Godzilla
I'll answer the easiest bit first - you could try this bit of code to redirect from the http:// to https:// version of your site:
Code: Select all
if ($_SERVER['SERVER_PORT'] != 443) {
$redirected_address = 'Location: https://www.example.com/index.php';
header ($redirected_address);
exit();
}I usually put this code on the index page to make sure that visitors can't log-in insecurely. Once they've passed the log-in test then you can just redirect to the http:// version. Is there any reason for switching back to an insecure connection again though? I know lots of sites do this but it seems a bit odd because everything (including my emails!) is being sent in the clear and there's obviously a lot more traffic to snoop.
If you want to change things so that users can only connect securely you might also want to make sure that cookies are only being sent when people are on the secure section of the site - this would require you to edit the php.ini file (or override it with a directive if you don't have access to it.)
HTH,
Mecha Godzilla
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: php and ssl
Hotmail does that? I guess the form target address is then just https://. Anyway, you are much better off keeping that SSL/TLS turned on and using HTTP Strict Transport Security to your advantage.
- mecha_godzilla
- Forum Contributor
- Posts: 375
- Joined: Wed Apr 14, 2010 4:45 pm
- Location: UK
Re: php and ssl
Kai - Yahoo! Mail does it as well and after you've logged-in all the authentication is done via the URL. Actually, I haven't checked what's in the cookies but there is certainly a lot of information being sent in the URL. I suspect this is a hold-over from the days when sites didn't like to do everything through SSL/TLS for performance reasons.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: php and ssl
Possibly, but hey, we have Gmail nowadaysmecha_godzilla wrote:I suspect this is a hold-over from the days when sites didn't like to do everything through SSL/TLS for performance reasons.