Note: When I use the word "key" below, I simply mean a text string used by my scripts, not an encryption key.
I (actually my client -- not me) have an unencrypted server with the mySQL database, etc. Then I have another server with ssl provided by the hosting company. The only script on the ssl server is the one for taking payment info. I want to send a unique key to the ssl server with each customer, and I'd like it to be over the secure line. So instead of sending the key to the customers browser (over the unsecured line) as part of the link to the secure server, if I send the key directly to the secure server via an include call then redirect the clients browser with a header statement, would that connection (the include for sending the key) be secured?
In other words, does the unsecured server get the same protection when communicating with a secured server via a php include call, as a web browser does when communicating with the secured server? Thanks in advance.
is an include call to ssl server secured?
Moderator: General Moderators
would that connection be secured also?
would that connection be secured?
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
including a secure script on an insecure page isn't secure. This route can be more so, if you use the proper protocols. The problem is any secure data touching anything insecure is by virtue insecure. It would be best to have the secure server on the insecure server that way no external communications are required making their communications far more secure.
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
I think there is some confusion over using include() and server-to-server protocols. When you include a file on the same server it is secure because it is a file read and no data is available outside the server. If you include a PHP page on another server you will get the output of the PHP page -- not the code for parsing.
If you want to have a back channel between the servers there are several ways to do this, but you may just want to use CURL to communicate with the checkout server using HTTPS. That is how many payment processors work.
If you want to have a back channel between the servers there are several ways to do this, but you may just want to use CURL to communicate with the checkout server using HTTPS. That is how many payment processors work.
(#10850)