Page 1 of 1

php and ssl

Posted: Tue Aug 31, 2010 6:11 pm
by wes007
Hi, i want to implement ssl redirection in login pages of my websites, Example: i have a page http://www.example.com/login

you are on this page and have to put login and password to login, i want when i put user and password to login at the time of submit it it should redirect to https and after when page is logged in it should go back to http in address bar, like we see in hotmail.com we put user id password and when click on sign in it shows its signing in through https in address bar and then it returns back to http in address bar with next logged in page,

any help??? and please also tell me what should be my ssl https setting in httpd.conf and ssl config i have dedicated server Centos with cpanel. SSL certificate is installed for http://www.example.com.

Please if anyone can tell me in step bystep and in details.
i m using php as coding.

Thanks

Re: php and ssl

Posted: Thu Sep 02, 2010 4:23 pm
by mecha_godzilla
Hi,

I'll answer the easiest bit first - you could try this bit of code to redirect from the http:// to https:// version of your site:

Code: Select all

if ($_SERVER['SERVER_PORT'] != 443) {
	
	$redirected_address = 'Location: https://www.example.com/index.php';
	header ($redirected_address);
	exit();
	
}
You could also explode the URL as well I guess.

I usually put this code on the index page to make sure that visitors can't log-in insecurely. Once they've passed the log-in test then you can just redirect to the http:// version. Is there any reason for switching back to an insecure connection again though? I know lots of sites do this but it seems a bit odd because everything (including my emails!) is being sent in the clear and there's obviously a lot more traffic to snoop.

If you want to change things so that users can only connect securely you might also want to make sure that cookies are only being sent when people are on the secure section of the site - this would require you to edit the php.ini file (or override it with a directive if you don't have access to it.)

HTH,

Mecha Godzilla

Re: php and ssl

Posted: Sun Sep 12, 2010 6:23 am
by kaisellgren
Hotmail does that? I guess the form target address is then just https://. Anyway, you are much better off keeping that SSL/TLS turned on and using HTTP Strict Transport Security to your advantage.

Re: php and ssl

Posted: Sun Sep 12, 2010 3:04 pm
by mecha_godzilla
Kai - Yahoo! Mail does it as well and after you've logged-in all the authentication is done via the URL. Actually, I haven't checked what's in the cookies but there is certainly a lot of information being sent in the URL. I suspect this is a hold-over from the days when sites didn't like to do everything through SSL/TLS for performance reasons.

Re: php and ssl

Posted: Mon Sep 13, 2010 11:34 am
by kaisellgren
mecha_godzilla wrote:I suspect this is a hold-over from the days when sites didn't like to do everything through SSL/TLS for performance reasons.
Possibly, but hey, we have Gmail nowadays :)