Page 1 of 1

issue of ssl to non ssl page

Posted: Fri Jan 23, 2009 12:32 am
by mishalhshah
hi,
i am working on phpmvc framework. I want to make my login page as secure like https. so when i am login into my site at that time my site url become https to http so at that time he again ask me to login so how can i handle this issue.

I just want login page as https and all other page as simple like http only.

Please help me out if you have any solution.
Thanks

Re: issue of ssl to non ssl page

Posted: Fri Jan 23, 2009 7:29 am
by kaisellgren

Code: Select all

$_SERVER['SERVER_PORT']
Force the login page to load with port 443 which means if the port is not 443, redirect the user to https://...

Re: issue of ssl to non ssl page

Posted: Fri Jan 23, 2009 10:23 pm
by aschlosberg
If you have a login form on every page you won't be able to implement this by checking the server port on the login page as it will be too late (credentials will have been sent unencrypted). Ensure that login credentials are sent to https://your.domain/login.php which can then update the session and return a header to redirect back to http

Code: Select all

header("Location: http://your.domain/protected.php");
If your sessions are set to only use cookies this won't cause any problems because they are domain specific and independent of transfer protocol.

If you want the other pages to be forced to use http instead of https you can achieve this with mod_rewrite RewriteCond - let me know if you want an example. Just note that sessions can be hijacked this way though.

Re: issue of ssl to non ssl page

Posted: Sat Jan 24, 2009 7:42 am
by kaisellgren
aschlosberg wrote:If you have a login form on every page you won't be able to implement this by checking the server port on the login page as it will be too late (credentials will have been sent unencrypted). Ensure that login credentials are sent to https://your.domain/login.php which can then update the session and return a header to redirect back to http

Code: Select all

header("Location: http://your.domain/protected.php");
If your sessions are set to only use cookies this won't cause any problems because they are domain specific and independent of transfer protocol.

If you want the other pages to be forced to use http instead of https you can achieve this with mod_rewrite RewriteCond - let me know if you want an example. Just note that sessions can be hijacked this way though.
First of all, there are browsers - actually one (You can guess which one...) that will not handle your https:// form action field appropriately.

Secondly, it does not matter if we use SSL for our login if we are using header redirection to HTTP (non-SSL). The purpose is not to prevent the password sent in plaintext, the purpose is to prevent the password and cookies being sent as plaintext. Many web mails have been cracked this way. Luckily Gmail is an exception and is using SSL site-wide. Like you said, switching from HTTPS to HTTP is not safe. Well you did not use that word, but I wanted to clarify.