On SSL pages: Some parts are nonsecure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

On SSL pages: Some parts are nonsecure?

Post by kaisellgren »

Hi,

I am running an SSL page on my website. Basically what I am doing is that I use PHP to check that the protocol is HTTPS, if it is not, then I redirect to the HTTPS version of that particular page (a secure registration page).

Now I have one problem only. The images on the secure page are being loaded as HTTP, not HTTPS (no SSL). So therefore IE and maybe some other browsers complain about that certain parts are insecure. Such as images, css file, etc. If the user clicks "no dont show unsecure" then the site loses all CSS and gfx...

How would I easily solve this problem? Firefox & Opera seems to accept non SSL images and files (they trust the website author?). Theres an option in IE to disable this check, but by default its checking and complaining.

Any ideas? I was thinking about JS that converts all href="" src="" etc to HTTPS, but still it won't help much (cuz the site was orginally loaded with nonsecure hrefs).
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: On SSL pages: Some parts are nonsecure?

Post by Mordred »

Link to the images with relative URLs, the https will come natively for https pages, and they will remain http for http pages.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: On SSL pages: Some parts are nonsecure?

Post by kaisellgren »

Yea, but I found an easier solution ;)

Code: Select all

<base href="https://site.com" />
Post Reply