php and ssl

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
wes007
Forum Newbie
Posts: 1
Joined: Tue Aug 31, 2010 6:00 pm

php and ssl

Post by wes007 »

Hi, i want to implement ssl redirection in login pages of my websites, Example: i have a page http://www.example.com/login

you are on this page and have to put login and password to login, i want when i put user and password to login at the time of submit it it should redirect to https and after when page is logged in it should go back to http in address bar, like we see in hotmail.com we put user id password and when click on sign in it shows its signing in through https in address bar and then it returns back to http in address bar with next logged in page,

any help??? and please also tell me what should be my ssl https setting in httpd.conf and ssl config i have dedicated server Centos with cpanel. SSL certificate is installed for http://www.example.com.

Please if anyone can tell me in step bystep and in details.
i m using php as coding.

Thanks
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: php and ssl

Post by mecha_godzilla »

Hi,

I'll answer the easiest bit first - you could try this bit of code to redirect from the http:// to https:// version of your site:

Code: Select all

if ($_SERVER['SERVER_PORT'] != 443) {
	
	$redirected_address = 'Location: https://www.example.com/index.php';
	header ($redirected_address);
	exit();
	
}
You could also explode the URL as well I guess.

I usually put this code on the index page to make sure that visitors can't log-in insecurely. Once they've passed the log-in test then you can just redirect to the http:// version. Is there any reason for switching back to an insecure connection again though? I know lots of sites do this but it seems a bit odd because everything (including my emails!) is being sent in the clear and there's obviously a lot more traffic to snoop.

If you want to change things so that users can only connect securely you might also want to make sure that cookies are only being sent when people are on the secure section of the site - this would require you to edit the php.ini file (or override it with a directive if you don't have access to it.)

HTH,

Mecha Godzilla
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: php and ssl

Post by kaisellgren »

Hotmail does that? I guess the form target address is then just https://. Anyway, you are much better off keeping that SSL/TLS turned on and using HTTP Strict Transport Security to your advantage.
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: php and ssl

Post by mecha_godzilla »

Kai - Yahoo! Mail does it as well and after you've logged-in all the authentication is done via the URL. Actually, I haven't checked what's in the cookies but there is certainly a lot of information being sent in the URL. I suspect this is a hold-over from the days when sites didn't like to do everything through SSL/TLS for performance reasons.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: php and ssl

Post by kaisellgren »

mecha_godzilla wrote:I suspect this is a hold-over from the days when sites didn't like to do everything through SSL/TLS for performance reasons.
Possibly, but hey, we have Gmail nowadays :)
Post Reply