hi,
i am working on phpmvc framework. I want to make my login page as secure like https. so when i am login into my site at that time my site url become https to http so at that time he again ask me to login so how can i handle this issue.
I just want login page as https and all other page as simple like http only.
Please help me out if you have any solution.
Thanks
issue of ssl to non ssl page
Moderator: General Moderators
-
mishalhshah
- Forum Newbie
- Posts: 1
- Joined: Fri Jan 23, 2009 12:23 am
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: issue of ssl to non ssl page
Code: Select all
$_SERVER['SERVER_PORT']-
aschlosberg
- Forum Newbie
- Posts: 24
- Joined: Fri Jan 23, 2009 10:17 pm
Re: issue of ssl to non ssl page
If you have a login form on every page you won't be able to implement this by checking the server port on the login page as it will be too late (credentials will have been sent unencrypted). Ensure that login credentials are sent to https://your.domain/login.php which can then update the session and return a header to redirect back to http
If your sessions are set to only use cookies this won't cause any problems because they are domain specific and independent of transfer protocol.
If you want the other pages to be forced to use http instead of https you can achieve this with mod_rewrite RewriteCond - let me know if you want an example. Just note that sessions can be hijacked this way though.
Code: Select all
header("Location: http://your.domain/protected.php");If you want the other pages to be forced to use http instead of https you can achieve this with mod_rewrite RewriteCond - let me know if you want an example. Just note that sessions can be hijacked this way though.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: issue of ssl to non ssl page
First of all, there are browsers - actually one (You can guess which one...) that will not handle your https:// form action field appropriately.aschlosberg wrote:If you have a login form on every page you won't be able to implement this by checking the server port on the login page as it will be too late (credentials will have been sent unencrypted). Ensure that login credentials are sent to https://your.domain/login.php which can then update the session and return a header to redirect back to http
If your sessions are set to only use cookies this won't cause any problems because they are domain specific and independent of transfer protocol.Code: Select all
header("Location: http://your.domain/protected.php");
If you want the other pages to be forced to use http instead of https you can achieve this with mod_rewrite RewriteCond - let me know if you want an example. Just note that sessions can be hijacked this way though.
Secondly, it does not matter if we use SSL for our login if we are using header redirection to HTTP (non-SSL). The purpose is not to prevent the password sent in plaintext, the purpose is to prevent the password and cookies being sent as plaintext. Many web mails have been cracked this way. Luckily Gmail is an exception and is using SSL site-wide. Like you said, switching from HTTPS to HTTP is not safe. Well you did not use that word, but I wanted to clarify.