PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Sep 15, 2019 3:40 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: https logins
PostPosted: Wed Sep 12, 2012 2:14 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
When writing a login system, are there any considerations to take into account if the login takes place over a https connection? Would i have to make changes to existing code that works over a standard http connection?

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
 Post subject: Re: https logins
PostPosted: Wed Sep 12, 2012 4:19 am 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
No: it'll work the exact same way. All SSL does is encrypt the connection between the user and your server - what's said and done in that communication doesn't change.


Top
 Profile  
 
 Post subject: Re: https logins
PostPosted: Wed Sep 12, 2012 4:50 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
Cool; thanks for the reply

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
 Post subject: Re: https logins
PostPosted: Mon Sep 17, 2012 2:07 pm 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR
The short answer is, it depends.

Are you using dedicated or shared SSL? If you are using shared SLL, then you will probably need to force the session id to be passed in the address when transitioning from https to http and vice versa.


Top
 Profile  
 
 Post subject: Re: https logins
PostPosted: Mon Sep 17, 2012 4:15 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
 Post subject: Re: https logins
PostPosted: Mon Sep 17, 2012 7:33 pm 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR
Yes, I've found that to be the easiest way, but as soon as the request is received through https (or vice versa) I regenerate the id.


Top
 Profile  
 
 Post subject: Re: https logins
PostPosted: Tue Sep 18, 2012 2:12 pm 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR
I've been giving more thought to your original question, and figured I'd take a little more time to weigh in.

I classify login/registration systems in 2 ways, private and public.

Private:
I build a website and my client wants to log in through a web portal to change aspects of the site. There are are no user registrations as they dont offer "accounts" to their customers. Basically they do not offer any account registrations for anyone outside of their company.

Public:
The most typical scenario is e-commerce where website visitors can register and create an account.


If you are going to offer a public registration, you need to get a dedicated SSL certificate signed by one of the trusted certificate authorities (geo-trust, verisgn, etc). This also requires a static IP address, which will cost a few bucks more each month.

If you are only offering private access, then you have a decision to make. You can use a shared SSL certificate or a self-signed certificate.

Let's talk self-signed first, it's a shorter discussion.

Self Signed Certificate:
This also requires a static IP, so it will cost a few extra bucks per month, but you will remain at the same domain for the entire transaction (read next section for clarification). This means it will function as you expect, either http://example.com or https://example.com. This is an easy solution from a development standpoint, but your client will receive a warning "The security certificate presented by this website was not issued by a trusted certificate authority." and they will have to click the link "Continue to this website (not recommended).". Not usually an issue if you take the time to educate your client.

Shared SLL:
Does not require a static IP, but your address will change when moving between http/https sections of the website. The difference is easy to see: http://example.com and https://secure.mywebhost.com/~example. The problem is, cookies are tied to domain names, so when you go from example.com to mywebhost.com/~example (or vice versa) your session will not persist, logging your users out. You can get around this by doing the trick I suggest above, your application will need to propogate the session variable through a POST or GET var. This however brings up a host of other concerns on session based attacks, so make sure you regenerate the session id when a request is received like this.

Other thoughts on Shared SLL:
Most browsers are becoming more strict about mixed content. They will display a prompt asking "Do you want to display only secure content on this page?" if you are pulling the request over https and other parts of the page (like javascripts, stylesheets, or images) over http. Lets face it, those things dont really need to come over https anyway.

Another consideration is that some webhosts (specifically bluehost and I dont know who else) are throttling the data coming through their shared SSL server. They will truncate the request after x number of bytes. I have a project that includes some external scripts such as jquery, and the https stream truncates in the middle of the jquery javascript file. The only option is to pull it over an http connection.


Anways, this post has turned more to rambling than anything, so hopefully you learned atleast 1 thing new from it. Lunch Time! 8)


Top
 Profile  
 
 Post subject: Re: https logins
PostPosted: Tue Sep 18, 2012 4:20 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
:) thank you for the description; as i mentioned i won't be handling the hosting but it was worthwhile reading which issues there might be should SSL be used. If it is used the more likely option will be the private login system and user registration will be done by the administrator/s so no public registration will be present.

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: Google [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group